Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-04-26 16:28:23

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

ProxMark3 Turn off while "hf mf mifare"

Hi all,
I'm new of PM3, I bought one form xfpga and I'm discovering these days step by step how it works.
I'm trying the client side, but I'm so enthusiastic, I've planend to take a look on the sources and try to understand them and hope to give a  contribute.
BTW, by my side normal operations on mifare cards are OK, I read, write, test keys, etc.
Today I tried to launch a "hf mf mifare" in order to try to understand how it works.
When I launch that command, after about 8 seconds, my PM3 turns off, I can hear a relais "click" then all led turns off, the terminal keeps running with his "......".
On the USB I still have the PM3 identified with vendor and product, so I discover that it was rebooted and a new ttyACM was assigned to it (from /dev/ttyACM0 to /dev/ttyACM1), but the console still remains (or thinks to be) connected to the older ttyACM alias...
I tried to upgrade the firmware to the latest version, and flash it, but that not fixed the problem.
I need to understand if i do something wrong, if the FW have some bug (i.e. during the compile procedure) or may be a hw problem.
Suggestions?

I use Linux Debian on a notebook (but with a Y cable with both connectors docked) and this is the hw version:

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 852 2014-04-24 23:50:30                 
#db# os: svn 852 2014-04-24 23:50:31                 
#db# FPGA image built on 2014/03/21 at 19:45:15                 
uC: AT91SAM7S256 Rev A          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 256K bytes          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 256K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory 

Thank you for helping me!

Last edited by MilkThief (2014-04-28 06:55:08)

Offline

#2 2014-04-27 10:34:25

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

Hi all,
update to the issue.
I downgraded my PM3 to an oldest version and the command "hf mf mifare" runs without reboot.

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 651 2014-04-24 23:36:02                 
#db# os: svn 651 2014-04-27 09:03:38                 
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56  

I tried at least 6 different firmwares and discovered that the issue happens with certain mifare keyfobs (with the latest firmware, too).
I tried back those keyfobs with libnfc on my ACR122 and I can access and attack them without problems.

Maybe a PM3 antenna problem?

WITH TAG:

# LF antenna:  0,00 V @   125.00 kHz          
# LF antenna:  0,00 V @   134.00 kHz          
# LF optimal:  0,00 V @ 12000,00 kHz          
# HF antenna:  9,05 V @    13.56 MHz  

WITHOUT TAG:

# LF antenna:  0,13 V @   125.00 kHz          
# LF antenna:  0,00 V @   134.00 kHz          
# LF optimal:  0,00 V @ 12000,00 kHz          
# HF antenna: 10,67 V @    13.56 MHz          
# Your LF antenna is unusable.

I tried to move the keyfob all around the antenna, bring it at 0,5 - 1 cm and change its angle from 0° to 90°, the best signal (lowes voltage) I can reach is parrallel to the antenna, contact and in a corner on the USB connector side.

But... the other operations are working good...
And a complete reboot (reset) would be excessive for a low rfid signal on the reader side...
(the keyfob is mine, I changed 2 keys and 2 blocks with the PM3, so I know perfectly the content I expect to obtain)

Does nobody here have an idea?
Thank you!

Last edited by MilkThief (2014-04-28 06:54:30)

Offline

#3 2014-04-27 21:12:22

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: ProxMark3 Turn off while "hf mf mifare"

So, to summarize (and see if I got it)..
With latest firmware, and also a few of the older ones (but not 651), you get hw reset on the device, when you 'hf mf mifare' certain tags.

I don't think it's antenna issues, it's something else, definitely. Don't know what, though...

Offline

#4 2014-04-27 21:50:49

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

thank you so much for your reply, holiman!
Yes, your summary is correct.
In the meanwhile I've found some issues with the lf operation, too. The "lf em4x em410xread" cannot produce any output on well working tags (i.e. the one I use everyday at the office building door)... No output with or without clock rate autodetection.

I don't know what else I can do to figure out the nature of the problem.
I suspect it is a hw problem, hope that the producer can help me, and hope he's available for a substitution...

Offline

#5 2014-04-27 22:31:44

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: ProxMark3 Turn off while "hf mf mifare"

Your EM41x issue:
Sometimes it has issues, you can normally jumpstart it with issuing 'lf read' and 'data samples 16000' first, then run 'lf em4x em410xread'

Last edited by midnitesnake (2014-04-27 22:32:02)

Offline

#6 2014-04-28 06:52:47

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

Thank you, midnitesnake!

proxmark3> lf read
#db# buffer samples: 7c 76 7b 7b 5e 45 30 1f ...                 
proxmark3> data samples 16000
Reading 16000 samples
          
Done!
          
proxmark3> lf em4x em410xread
Auto-detected clock rate: 6          
proxmark3> 

I still suspect is a hw problem...

proxmark3> lf read
#db# buffer samples: a9 a5 a2 3e 9d 9b 78 5c ...                 
proxmark3> data samples 16000
Reading 16000 samples
          
Done!
          
proxmark3> lf em4x em4x50read
No data found!          
Try again with more samples.          
proxmark3> 

This PM3 does nothing in lf and half in hf... Maybe the multiplexer?
With data plot seems to plot noise...

Offline

#7 2014-04-29 03:50:32

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: ProxMark3 Turn off while "hf mf mifare"

Do you have electronic test equipment such as oscilloscope, waveform generator, logic analyzer etc?
Can you upload your waveform somewhere?

Offline

#8 2014-04-29 06:15:22

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

Hi!
I have an analogic oscilloscope only.
As waveform you mean the one I get with "data plot" or the one I would get with a digital oscilloscope on a PCB test point?

Offline

#9 2014-04-29 08:04:08

vivat
Contributor
Registered: 2010-10-26
Posts: 332

Re: ProxMark3 Turn off while "hf mf mifare"

Can you compare waveforms from TP1 and from "data plot" with lf read command? Have you tried to contact the seller?

Offline

#10 2014-04-29 10:03:58

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

Hi, thank you for the suggestion.
I'll try to find a digital oscilloscope for a day. :-)

Contacted the seller. He's Laser here.
We'll try a teamviewer session in order to check the pm3 functionalities.
Hope he'll understand it's a radio hardware fail...

Offline

#11 2014-04-29 15:40:43

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: ProxMark3 Turn off while "hf mf mifare"

The proxmark has a WatchDogTimer which needs to be triggered regularily - otherwise it will reset. The resetting therefore needs not to be a hardware issue - could be that the ARM code is in an infinite or at least very long loop without calling WDT_HIT() - the function which triggers the WatchDogTimer.

Offline

#12 2014-04-29 17:34:45

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: ProxMark3 Turn off while "hf mf mifare"

Ah, so that's what WDT_HIT is.. I've been wondering.. What's the timeout for that?

Offline

#13 2014-04-29 18:15:39

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

Hi,
thank you piwi for the details, what you say can explain the reset, but not the impossibility to read any lf tag (and this happens without reset).
I had a teamviewer session with the seller, he tested and watched at the screen.
He said in 3 seconds

I know what it is, it is a hardware problem, I met this problem before: the connection between arm and fpga and ADC chip. This maybe caused by the shipment.

I will receive a total free replacement and send back the broken board.
I'll keep you informed if still have that "reset" problem once the "unreadable lf tag" problem will be fixed.

Last edited by MilkThief (2014-04-29 18:16:12)

Offline

#14 2014-04-29 18:18:44

charliex
Contributor
From: Los Angeles/Scotland
Registered: 2010-08-05
Posts: 70
Website

Re: ProxMark3 Turn off while "hf mf mifare"

like piwi says there are a couple of tight loops in the capture routines that don't hit the watchdog, they can't be cancelled with the button either. If the fpga doesn't send data over the SSC it'll stick in that loop and the watchdog kicks in, if it consistently resets after a few seconds, it's the watchdog. I've added WD_HDT and a check for the button in my local builds, but since i'm still in the make it all work stage i haven't checked the impact on the capture.

most of the time it sends data (if the hardware is working), i've seen instances where it hasn't, but not sure why yet.

here's an example that doesn't hit the watchdog or allow the button to break out of the capture, but only happens if something is wrong.

https://github.com/Proxmark/proxmark3/b … 43.c#L1072

it'll get stuck in that for(;;)

Offline

#15 2014-04-29 18:23:57

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

Wow! Ok, my PM3 is just sent back, so I cannot try your code. I think in 10 days I'll "back on the road", so I'll try your code.
Thank you!

Offline

#16 2014-04-29 18:27:26

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

charliex, your avatar is hard stimulating my curiosity... :-)

Offline

#17 2014-04-29 18:32:49

charliex
Contributor
From: Los Angeles/Scotland
Registered: 2010-08-05
Posts: 70
Website

Re: ProxMark3 Turn off while "hf mf mifare"

unfortunately adding the wdt/breakout just bypasses the hard watchdog reset, it will help in those situations where it isn't reading data for some yet unknown reason (at least by me), but if there is a hardware issue it won't help.

i just add it because it kills my GUI connection when it hard resets.

Offline

#18 2014-04-30 16:07:59

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: ProxMark3 Turn off while "hf mf mifare"

holiman wrote:

Ah, so that's what WDT_HIT is.. I've been wondering.. What's the timeout for that?

Between 12 and 24 seconds (typically 16 seconds). This depends on the frequency of the ARM's internal "slow clock" RC oscillator which is specified to be between 22kHz and 42kHz (typically 32kHz).

Offline

#19 2014-05-08 13:42:20

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

I can't believe I have in my hands another broken PM3, the seller sent me another different broken PM3!
I am very angry...

Connected units:
	1. SN: ChangeMe [001/003]
proxmark3> hw tune
#db# Measuring antenna characteristics, please wait..                 
#db# Measuring complete, sending report back to host                 
          
# LF antenna:  2,82 V @   125.00 kHz          
# LF antenna:  2,82 V @   134.00 kHz          
# LF optimal:  2,82 V @    46,88 kHz          
# HF antenna:  0,13 V @    13.56 MHz          
# Your LF antenna is marginal.          
# Your HF antenna is unusable.          
proxmark3> 

proxmark3> hw tune
#db# Measuring antenna characteristics, please wait..                 
#db# Measuring complete, sending report back to host                 
          
# LF antenna:  0,00 V @   125.00 kHz          
# LF antenna:  0,00 V @   134.00 kHz          
# LF optimal:  0,00 V @ 12000,00 kHz          
# HF antenna:  0,93 V @    13.56 MHz          
# Your LF antenna is unusable.          
# Your HF antenna is unusable. 

Then:

Connected units:
	1. SN: ChangeMe [001/003]
proxmark3> lf em4x em410xwatch



read failed: could not detach kernel driver from interface 0: No data available(-19)!
Trying to reopen device...

Connected units:
	1. SN: ChangeMe [001/004]
proxmark3> 

Does anybody know where can I buy a proxmark? I'd like to avoid proxmark.com: to high prices and to high duties from USA...

Offline

#20 2014-05-08 13:48:57

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: ProxMark3 Turn off while "hf mf mifare"

MilkThief wrote:
# Your LF antenna is unusable.          
# Your HF antenna is unusable. 

It reports your antennas are unusable. Have you used that lf-antenna before, so you know that's not what's causing the problem?

I ordered my first from proxmark3.com, it was pricey but I've had no problems with it. I ordered a second via gaucho, but he had to spend a *lot* of time getting the hw to work properly.

Offline

#21 2014-05-08 13:52:54

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: ProxMark3 Turn off while "hf mf mifare"

# LF optimal:  0,00 V @ 12000,00 kHz          
# HF antenna:  0,93 V @    13.56 MHz          
# Your LF antenna is unusable.          
# Your HF antenna is unusable. 

LF optimal at 12000 kHz  (12 MHz) ???

EDIT: hm, maybe that's to be expected when the HF antenna is connected. But why try reading an lf tag with hf antenna? Or did I misunderstand what you did there?

Last edited by holiman (2014-05-08 13:56:50)

Offline

#22 2014-05-08 13:58:44

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

I don't know from where comes out that... It is the original FW.
(it is identical to the value of the other not working PM3 on my previous posts)

Offline

#23 2014-05-09 17:07:42

RadioWar
Contributor
From: China
Registered: 2012-09-15
Posts: 96

Re: ProxMark3 Turn off while "hf mf mifare"

mifare.jpg

hf mf mifare is working~

Offline

#24 2014-05-09 18:16:05

charliex
Contributor
From: Los Angeles/Scotland
Registered: 2010-08-05
Posts: 70
Website

Re: ProxMark3 Turn off while "hf mf mifare"

I have had a couple of proxmark3's from proxmark3.com no problems either. whats your antenna setup look like,  if you have a scope or DMM measure the lf antenna, see if its shorted or something. inductance or resistance read would help, scope better

Offline

#25 2014-05-09 20:09:41

Enio
Contributor
Registered: 2013-09-24
Posts: 175

Re: ProxMark3 Turn off while "hf mf mifare"

the problem with those tight loops is, if you slow the loop down too much when you are receiving data with very high speed it might miss a sanple. A better solution could be to add a counter and break the loop when txready hasnt been up for a while and reset on txready. fastest should be counting down and check for var == 0, it could still be too much for special cases.

Offline

#26 2014-05-09 20:59:22

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

The board is broken. Another teamviewer with the producer revealed that.
I can't figure out how is it possible to have 2 unlucky experiences in both shippings...

Offline

#27 2014-05-10 16:54:51

RadioWar
Contributor
From: China
Registered: 2012-09-15
Posts: 96

Re: ProxMark3 Turn off while "hf mf mifare"

MilkThief wrote:

The board is broken. Another teamviewer with the producer revealed that.
I can't figure out how is it possible to have 2 unlucky experiences in both shippings...

some one told me :"he said "hf mf mifare" is never working......"
so i dont think is ur unlucky

Offline

#28 2014-05-11 21:20:14

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

RadioWar wrote:

some one told me :"he said "hf mf mifare" is never working......"
so i dont think is ur unlucky

No, the board is broken, the lf part is not working, too. You can see that on the "hw tune" resut.
Test points are showing no voltage.
I think this is bad luck and wait for the 3rd shipping. The problem here is that every time I have to pay customs...
It is a stupid law: I receive a replacement and I have to pay again vat and duties!

Offline

#29 2014-05-12 19:22:26

charliex
Contributor
From: Los Angeles/Scotland
Registered: 2010-08-05
Posts: 70
Website

Re: ProxMark3 Turn off while "hf mf mifare"

You shouldn't have to pay if it is marked it as a "replaced/repaired" item. I used to send ECU's i repaired or reflashed all over the world like this, no import duties.

Offline

#30 2014-05-12 19:34:23

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

Not always the custom office read the whole label.

Offline

#31 2014-05-14 18:18:40

MilkThief
Contributor
Registered: 2014-04-11
Posts: 104

Re: ProxMark3 Turn off while "hf mf mifare"

My bad experience continue on this post because has become a wider problem, not "mifare classic"...
Thanks to all who tried to help me with the technical part of the issue!

Offline

#32 2014-05-14 20:22:23

charliex
Contributor
From: Los Angeles/Scotland
Registered: 2010-08-05
Posts: 70
Website

Re: ProxMark3 Turn off while "hf mf mifare"

MilkThief wrote:

charliex, your avatar is hard stimulating my curiosity... :-)

i just noticed this comment, there is a thread about in the "innovations" section of the forum


the problem with those tight loops is, if you slow the loop down too much when you are receiving data with very high speed it might miss a sanple. A better solution could be to add a counter and break the loop when txready hasnt been up for a while and reset on txready. fastest should be counting down and check for var == 0, it could still be too much for special cases.

yep, some of the areas are time sensitive, i'm wondering if they're dma'ble instead, i know we struggled a lot getting the timing working on the STM32F1 capturing the 13.56Mhz at bit bang, at DMA SPI it went a lot better ( til we realised the 125khz has a 24mhz clocked capture)

Offline

#33 2014-05-14 23:46:12

Enio
Contributor
Registered: 2013-09-24
Posts: 175

Re: ProxMark3 Turn off while "hf mf mifare"

True, LF ssp could be slowed down easily. My experien of timing isses comes of adc reads of 24mhz/8 put on ssc for HF snoop passthrough.

Offline

#34 2014-05-15 00:43:51

charliex
Contributor
From: Los Angeles/Scotland
Registered: 2010-08-05
Posts: 70
Website

Re: ProxMark3 Turn off while "hf mf mifare"

i wish i could have slowed it down a few weeks ago, i ended up using the sam7512b temporarily while we figure out the F4, just ran out of time/man power. I think we can get the 24Mhz SPI going on the F4, since its plenty fast enough, but it'd be easier to deal with if it was more like the 13.56Mhz capture speed. the SSC in the sam7  is pretty amazing.

Offline

#35 2014-06-03 06:39:05

gryphonw
Member
Registered: 2013-12-04
Posts: 7

Re: ProxMark3 Turn off while "hf mf mifare"

The same problem - turning off while "hf mf mifare", proxmark3 from the same source (

Offline

#36 2014-06-12 10:20:53

0x38F
Contributor
Registered: 2014-04-12
Posts: 10

Re: ProxMark3 Turn off while "hf mf mifare"

Hello, I'm having the same issue ; the

hw mf mifare

runs during 1h30 and suddently the proxmark turns off ; I have to abort with keyboard after.
Below the execution result :

proxmark3> hf 14a read
ATQA : 04 00
 UID : XX XX XX XX
 SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443a-4 card found, RATS not supported

proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
..................................................

aborted via keyboard!

I have the latest build from SVN  :

proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 756 2013-07-13 08:11:47
#db# os: svn 852 2014-06-11 18:06:26
#db# FPGA image built on 2014/03/21 at 19:45:15
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

Any clue to progres on it ? thanks

Offline

#37 2014-06-12 10:45:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: ProxMark3 Turn off while "hf mf mifare"

well.. no, you have from a version before the project moved to Github.

Try the latest version from the github.

Offline

#38 2014-06-12 20:21:55

0x38F
Contributor
Registered: 2014-04-12
Posts: 10

Re: ProxMark3 Turn off while "hf mf mifare"

Well, I've just done the test with the latest Github compiled package (pm3-bin-0.0.2) for windows and I have exactly the same issue :

proxmark3> hw ver
#db# Prox/RFID mark3 RFID instrument
#db# bootrom: svn 0 2014-03-30 07:16:36
#db# os: svn 0 2014-03-30 07:16:40
#db# FPGA image built on 2014/03/24 at 21:54:44
uC: AT91SAM7S256 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
proxmark3> hf mf mifare
-------------------------------------------------------------------------
Executing command. Expected execution time: 25sec on average  :-)
Press the key on the proxmark3 device to abort both proxmark3 and client.
-------------------------------------------------------------------------
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
..................................................................................................................................
....................................

hf mf mifare works fine with other tags.

Offline

#39 2014-06-13 07:55:21

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: ProxMark3 Turn off while "hf mf mifare"

Well, that is probably a non-vulnerable tag you have there, they fixed the prng in "plus". This thread is about the proxmark turning off in the middle of the operation. You at least seem to be able to run it for more than an hour? If it isn't cracked within a relatively short time, it probably won't crack.

Offline

#40 2014-06-13 08:42:39

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: ProxMark3 Turn off while "hf mf mifare"

So it works with other tags?  ok, what kind of tag is it?  It could be one of the new versions where they fixed the entropy in the prng and the current "hf mf mifare" doesn't crack that.
Try the "snoop -x", which Holiman added. Maybe you get lucky.   and btw have you tried the "hf mf chk"?  or the lua-script version of it?

Offline

#41 2014-06-13 08:48:16

0x38F
Contributor
Registered: 2014-04-12
Posts: 10

Re: ProxMark3 Turn off while "hf mf mifare"

You're assumption might be right ; it might be a new tag. Is there a way to verify that ?
Regarding snoop -x, I will test it and let you know.

Regarding last point, I do not know how to use the lua script ; where can I can documentation on it ? and which specific lua script are you talking about ?

Thanks for you support,

Offline

#42 2014-06-13 09:08:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: ProxMark3 Turn off while "hf mf mifare"

in general:   search the forum, read holimans entries about it.
in short:    in the pm3 client prompt,   "script"  is the command,  which tells you more...    "script list"  to show which scripts exits.   "script run nnnnnn"  runs a script..

Offline

#43 2014-06-14 13:45:57

0x38F
Contributor
Registered: 2014-04-12
Posts: 10

Re: ProxMark3 Turn off while "hf mf mifare"

Many thanks Iceman !
I've tried the script

 run mifare_autopwn.lua

but we are facing exactly the same issue.

I will have to try with snoop.
Question: I've searched into the forum but found nothing related to "snoop -x" as you've previously mentionned. What is for this -x parameter?

Offline

#44 2014-06-14 20:15:28

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: ProxMark3 Turn off while "hf mf mifare"

you could try the mifare check script. it tries 64 different known keys, ...   if you are lucky...

Offline

#45 2014-06-15 09:54:47

0x38F
Contributor
Registered: 2014-04-12
Posts: 10

Re: ProxMark3 Turn off while "hf mf mifare"

oh oh! script run mfkeys returns some interessting output !

Found a NXP MIFARE CLASSIC 1k | Plus 2k tag
...
________________________________________
|Sector|Block|     A      |      B     |
|--------------------------------------|
|   1  |   3 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|   2  |   7 |A0A1A2A3A4A5||
|   3  |  11 |A0A1A2A3A4A5||
|   4  |  15 |A0A1A2A3A4A5||
|   5  |  19 |A0A1A2A3A4A5||
|   6  |  23 |A0A1A2A3A4A5||
|   7  |  27 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|   8  |  31 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|   9  |  35 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|  10  |  39 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|  11  |  43 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|  12  |  47 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|  13  |  51 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|  14  |  55 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|  15  |  59 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|  16  |  63 |A0A1A2A3A4A5|B0B1B2B3B4B5|
|--------------------------------------|

Question: if we do not have any B keys returned for SB 2-7, 3-11, and so one, does it mean that the tag does not have B keys for these Sector/Bloc or that the script was not able to find it ?

In all the case, thanks a lot Iceman !

Offline

#46 2014-06-15 13:22:18

app_o1
Contributor
Registered: 2013-06-22
Posts: 247

Re: ProxMark3 Turn off while "hf mf mifare"

0x38F wrote:

Question: if we do not have any B keys returned for SB 2-7, 3-11, and so one, does it mean that the tag does not have B keys for these Sector/Bloc or that the script was not able to find it ?

In all the case, thanks a lot Iceman !

As far as I know there is always a B key.
You know at least one key "A0A1A2A3A4A5" which is a "common/known key". From here, it is easy to get the missing ones.

Offline

#47 2014-06-15 13:41:22

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: ProxMark3 Turn off while "hf mf mifare"

well, now that you have some keys then you can use the "hf mf nested" .... 

and snoop -x  is something Holiman cocked up. It's well documented in the forum somewhere.

Offline

#48 2014-06-15 17:12:30

0x38F
Contributor
Registered: 2014-04-12
Posts: 10

Re: ProxMark3 Turn off while "hf mf mifare"

hf mf nested is not helpful ; I think that I will have to snoop to keep progress


|---|----------------|---|----------------|---|
|sec|key A           |res|key B           |res|
|---|----------------|---|----------------|---|
|000|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|001|  a0a1a2a3a4a5  | 1 |  000000000000  | 0 |
|002|  a0a1a2a3a4a5  | 1 |  000000000000  | 0 |
|003|  a0a1a2a3a4a5  | 1 |  000000000000  | 0 |
|004|  a0a1a2a3a4a5  | 1 |  000000000000  | 0 |
|005|  a0a1a2a3a4a5  | 1 |  000000000000  | 0 |
|006|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|007|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|008|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|009|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|010|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|011|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|012|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|013|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|014|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|015|  a0a1a2a3a4a5  | 1 |  b0b1b2b3b4b5  | 1 |
|---|----------------|---|----------------|---|

Offline

#49 2014-06-15 18:06:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: ProxMark3 Turn off while "hf mf mifare"

Actually, since you have all A keys,  whichs depends on the accessright but you should be able to dump the card with those keys.
I'm not sure what you want to achive,  since the original question was that your  "hf mf mifare" command timeout  and you got an answer to that.   If you have a question, better start a new thread since this one more or less finished.

Offline

#50 2014-06-16 06:40:12

0x38F
Contributor
Registered: 2014-04-12
Posts: 10

Re: ProxMark3 Turn off while "hf mf mifare"

I agree with you the initial question is closed now.
I will keep on trying to get the missing B keys for sectors 1-5 (these sectors are not accessible with Key A) ; if it failed, I will open a noew thread.

Thanks again for your support.

Offline

Board footer

Powered by FluxBB