[requests] What would you like to see next on proxmark3 ?

asper · 2015-04-06 12:01:46

I would like to express here what I would like to be implemented/improved in future proxmark3 releases; if more than 1 would like to have the same features we can team-up to make them see the light:

HF
- add ISO15693 simulation
- add EPA support (acutal epa is 100% not working for the epa tested by me and a few other people); EPAs are a kind of smart card, you need to know which commands to send and read the response; datasheets (more and less full) are available.
- Mifare Desfire implementation
- Calypso implementation (Calypso probably uses ISO14443B protocol in latest versions; probably earlier versions uses proprietary Innovatron ISO14443B')
- complete Jewel/Topaz support (specially sim command - almost done thanks to the great piwi work)
- add mifare ultralight/ev1/NTAG simulation (pm3 can do that)
- add Sony FeliCa support (technical datasheets available)
- EMV implementation (visa,mastercard - Peter filmoore has one laying around)
- iClass write
- detection of Mifare Classic NACK bug

LF
- improve PCF support (datsheets are available for some tags - maybe iZsh will comes in hand!)
- converting a LF tagnumber (printed number) into complete or partial clone command
- LF sim with a "bruteforce" mode where you can set the facilitycode and simulating the ID in a bruteforcing-way
- EM4x50 full read/write/password
- LF T55x7 password sniff
- EM4x05 full read/write/password
- LF T55XX bruteforce on the password (or analysing the time it takes)

Software Improvements
- A pipe buffer (that you could keep the transaction log on one file in the computer, not in the internal atmel´s buffer)
- Someway of fuzzing protocols.
- Side-channel/power analysis attacks support.

If you have any (feasible) request feel free to post it here. I will update this post adding new (again, feasible, ex. "Make coffee" will not be taken in consideration ) requests and the number of people interested.

Last edited by asper (2015-10-17 17:26:24)

iceman · 2015-04-06 18:49:09

- implementation of Mifare Desfire.
- implementation of EMV (visa,mastercard) Peter filmoore has one laying around. Would love to get that one in the Master.
- implementation of Calypso. (full datasheets needed.)

asper · 2015-04-06 20:01:15

1st post updated

thefkboss · 2015-04-06 21:30:48

A pipe buffer (that you could keep the transaction log on one file in the computer, not in the internal atmel´s buffer)
this could keep bigger tansactions logs, because you will use your hdd instead the atmel's memory

asper · 2015-04-06 22:09:05

Great work ! This is what I was talking about.
1st post updated.

marshmellow · 2015-04-06 22:17:28

LF:
EM4x50 full read/write/password
EM4x05 full read/write/password

HF:
iClass write

UHF: (i know i'm dreaming)

asper · 2015-04-06 22:29:28

Is it possible to add UHF capabilities hacking pm3 hardware ? (capacitor+antenna?)

iceman · 2015-04-07 07:33:39

We should be able to get 400Mhz at least, but 800-900 Mhz I doubt.

holiman · 2015-04-07 14:57:03

400Mhz? How? As for reader-side, how could we generate such a carrier, we dont have any chrystals that fast, afaik...?

marshmellow · 2015-04-07 15:01:41

Lol. Look what I started... UHF would need a hardware change, probably a significant one. But it would be a cool device if we could re-use all the pm3 code and have UHF.

vivat · 2015-04-07 18:37:12

Side-channel/power analysis attacks support.

iceman · 2015-04-08 21:41:14

When it comes to the wish for better PCF support, it seems this will be solved when iZsh commits his improved PCF functionality.
so thats kind of cool.

Otherwise I must just say that the PM3 has evolved so much in the last year. Nowdays is more about adding protocols then figuring out why basic stuff doesn't work or if it was suppose to be like that.

iceman · 2015-04-12 13:52:13

Someway of fuzzing protocols? Like how to find out the "nack" bug in Mifare classic.

dk1206 · 2015-04-23 16:12:13

Maybe CIPURSE implementation ?

Kieths · 2015-04-30 16:59:20

Add an 'hf search', similar to the current 'lf search', to help quickly identify unknown devices when / if possible.

dk1206 · 2015-05-13 12:19:34

Hey guys,

Any news on CIPURSE idea of implementation ? Has anyone even appraoched researching how to clone CIPURSE cards ?

joe · 2015-05-13 18:40:01

need more functional cmds for iclass, none of them can work now .

iceman · 2015-06-18 20:20:33

I think @asper can edit the UL/NTAG sim request...

Back to suggestions:

Marshmellow mentioned once that he wanted to see a LF T55XX bruteforce on the password. Or analysing the time it takes...

I would like to see converting a LF tagnumber (printed number) into complete or partial clone command?! If you understand what I'm aiming at.
Also the old LF sim with a "bruteforce" mode where you set the facilitycode and simulating in a bruteforce manor the id...

asper · 2015-06-18 23:00:58

Done!

lutcheti · 2015-06-22 10:42:46

Hi guys,
I would love to see a Calypso implementation (v. ISO14443B) come out.
Fuzzing capabilities would be great as well.
I'm starter with Proxmark3 but I was about to try to reverse (using fuzzing?) a calypso implementation (the one that is used in travel card in Paris) so I'd be glad to help/team-up/do something.

marshmellow · 2015-06-25 02:29:58

iceman wrote:

I would like to see converting a LF tagnumber (printed number) into complete or partial clone command?! If you understand what I'm aiming at.
Also the old LF sim with a "bruteforce" mode where you set the facilitycode and simulating in a bruteforce manor the id...

the challenge with this is what format should we make? there are literally hundreds.

handling them via the raw wiegand data covers all of them, which is why the commands are the way they are.

marshmellow · 2015-06-25 02:31:26

iceman wrote:

I think @asper can edit the UL/NTAG sim request...

granted this hasn't made it's way to the main trunk yet...

marshmellow · 2015-06-25 02:34:33

lutcheti wrote:

Hi guys,
I would love to see a Calypso implementation (v. ISO14443B) come out.
Fuzzing capabilities would be great as well.
I'm starter with Proxmark3 but I was about to try to reverse (using fuzzing?) a calypso implementation (the one that is used in travel card in Paris) so I'd be glad to help/team-up/do something.

a good start would be to get a snoop of the transactions and post them on the forum in the Calypso section. now that 14b is working well if the tags are fully 14b it should be semi easy to make some progress.

iceman · 2015-06-25 09:08:14

Well @marshmellow, I got my wish for a UL/NTAG sim. If it makes its way to PM3 master is another thing.

With @pwpiwi 's fpga compress is finished, that has opened up some more possibilities.

asper · 2015-06-25 20:56:06

Calypso may be using a different protocol to send (or receive); it can be 14B' and not 14B.

jump · 2015-06-25 21:20:34

You are right asper. This is actually 14B' and not 14B

iceman · 2015-06-25 22:19:29

it is 14b' , but the actual protocol is unknown..

asper · 2015-06-25 22:31:15

iceman wrote:

it is 14b' , but the actual protocol is unknown..

Not publically known... dataseets needed.

iceman · 2015-06-25 22:33:57

and here I though you were there info-archangel Asper,... deliver.. deliver..

asper · 2015-06-26 08:12:29

Unfortunately no info. Subscribing to the protocol datasheets is expensive.

lutcheti · 2015-06-29 16:46:19

I thought they used 14b' in the past but moved to 14b recently. To be sure I would like
to get '14b snoop' working.
I tried to snoop a transaction but I always obtain a weird error message:

proxmark3> hf 14b snoop
#db# Snooping buffers initialized:                 
#db#   Trace: 39360 bytes                 
#db#   Reader -> tag: 256 bytes                 
#db#   tag -> Reader: 256 bytes                 
#db#   DMA: 128 bytes                 
#db# blew circular buffer! behindBy=0x74                 
#db# Snoop statistics:                 
#db#   Max behind by: 116                 
#db#   Uart State: 0                 
#db#   Uart ByteCnt: 0                 
#db#   Uart ByteCntMax: 256                 
#db#   Trace length: 0

Maybe we could start by fixing this?

marshmellow · 2015-06-29 16:47:59

Update your firmware. It IS fixed.

lutcheti · 2015-06-29 17:26:18

I thought they used 14b' in the past but moved to 14b recently. To be sure I would like
to get '14b snoop' working.
I tried to snoop a transaction but I always obtain a weird error message:

proxmark3> hf 14b snoop
#db# Snooping buffers initialized:                 
#db#   Trace: 39360 bytes                 
#db#   Reader -> tag: 256 bytes                 
#db#   tag -> Reader: 256 bytes                 
#db#   DMA: 128 bytes                 
#db# blew circular buffer! behindBy=0x74                 
#db# Snoop statistics:                 
#db#   Max behind by: 116                 
#db#   Uart State: 0                 
#db#   Uart ByteCnt: 0                 
#db#   Uart ByteCntMax: 256                 
#db#   Trace length: 0

Here is my config:
http://sebsauvage.net/paste/?73f80ed23271fa3e#lGP+oZ2Rwty1hn2yarAjBlQsHbBWjpsITDlh5cPR6kQ=

[EDIT]
This is actually a serious issue. I'm trying to solve it here: http://www.proxmark.org/forum/viewtopic.php?id=2487
I must solve it before beeing able to snoop a full Calypso transaction (RATP or Velib), really frustrating
[/EDIT]

Last edited by lutcheti (2015-07-13 11:28:26)

iceman · 2015-06-29 17:52:57

are you running on the latest firmware compiled from GitHub??

marshmellow · 2015-07-06 22:55:50

i have a Request: hf snoop
a generic recording of HF samples regardless of the protocol. for use with tags that we don't know the protocol yet. (sielox.. others)

is it a question of buffer space? it seems like something like this used to exist (hisamples?) i'm going to start digging up some old info on this.

but i remember piwi recently said that passing hf samples (specifically regarding ISO 14b) to the client for demod couldn't work due to speed? maybe?

meter · 2015-07-13 10:04:03

Hi, this is my first message on this forum, I vote +1 for request of marshmellow.
There is also a patch from another user, never released in master branch, here http://proxmark.org/forum/viewtopic.php?id=1945 maybe is useful

Dake · 2015-07-15 08:54:07

Hello !
- improve PCF support
- Calypso implementation

iceman · 2015-07-22 23:41:48

Regarding "HF SNOOP"

https://github.com/EnioArda/proxmark3/commit/1bae666bcfaeab3b86c5a64bb150559862e1089d

Enio's fork had a HF SNOOP implemented, and it got merged, but I can't see it anymore in PM3 master..

marshmellow · 2015-07-27 05:22:21

lf snoop got merged, but I don't see hf snoop ever getting finished.

iceman · 2015-07-27 10:40:28

Yeah, it was something about splitting up the fpga firmware into a LF and a HF part at that time when Enio was doing this.
There has been changes to the HF part in the FPGA since then, so his adaptations might not work straight up.

But with the memory saving changes with the new BigBuff, the HF snooping might actually be able to snoop complete transactions. I remember that this also was an issue with hf snooping at the time.

holiman · 2015-07-27 21:28:04

iceman wrote:

Regarding "HF SNOOP"
https://github.com/EnioArda/proxmark3/commit/1bae666bcfaeab3b86c5a64bb150559862e1089d
Enio's fork had a HF SNOOP implemented, and it got merged, but I can't see it anymore in PM3 master..

Nope, it never got merged into master. And afaik, he never did a pull request on it, I don't think he ever considered it finished enough to "officially" submit it, and noone took up on it. Personally, it's not of much value to me (I'd rather use an oscilloscope or my Saleae pro logic), so I haven't put in the time that would be required to make it work.

And yes, he implemented it as an LF-mode, only because of addressing issues (no more flag-space in HF-section). That was a bit awkward, I pinged him a few months back that there now was 'space' available in HF, if he would want to continue with it.

iceman · 2015-07-27 21:40:19

I see, I stand corrected.
But we got a LF SNOOP from Gaucho?!? which works?! no?

holiman · 2015-07-27 23:05:59

Yes, we have an LF snoop, afaik there are no problems on that front

marshmellow · 2015-07-28 05:04:10

i guess i'll have to find myself a good oscilloscope and learn it...

iceman · 2015-07-28 09:54:25

@marshmellow, Pretty soon you'll be compiling the fpga-code aswell

marshmellow · 2015-10-17 03:43:26

we have iclass write now (it works most of the time...)

it can be crossed off.

iceman · 2015-10-17 13:59:24

+1

iceman · 2016-02-23 13:02:08

You can cross over " LF T55XX bruteforce on the password (or analysing the time it takes)"

Apt-Get · 2016-02-23 20:10:56

an lf search command that runs like the hid fsk command..
basically will constantly search and demod tags until you hit the button.

marshmellow · 2016-02-23 21:20:38

@apt-get See the threshold setting of lf config. It works. (if set properly it should search until the antenna picks up something, then it will attempt all known demods on the captured data) but doing it for more than one tag would be too slow and the output too long to be useful with the current device and implementation.

Last edited by marshmellow (2016-02-23 22:19:48)

Proxmark3 community

Announcement

#1 2015-04-06 12:01:46

[requests] What would you like to see next on proxmark3 ?

#2 2015-04-06 18:49:09

Re: [requests] What would you like to see next on proxmark3 ?

#3 2015-04-06 20:01:15

Re: [requests] What would you like to see next on proxmark3 ?

#4 2015-04-06 21:30:48

Re: [requests] What would you like to see next on proxmark3 ?

#5 2015-04-06 22:09:05

Re: [requests] What would you like to see next on proxmark3 ?

#6 2015-04-06 22:17:28

Re: [requests] What would you like to see next on proxmark3 ?

#7 2015-04-06 22:29:28

Re: [requests] What would you like to see next on proxmark3 ?

#8 2015-04-07 07:33:39

Re: [requests] What would you like to see next on proxmark3 ?

#9 2015-04-07 14:57:03

Re: [requests] What would you like to see next on proxmark3 ?

#10 2015-04-07 15:01:41

Re: [requests] What would you like to see next on proxmark3 ?

#11 2015-04-07 18:37:12

Re: [requests] What would you like to see next on proxmark3 ?

#12 2015-04-08 21:41:14

Re: [requests] What would you like to see next on proxmark3 ?

#13 2015-04-12 13:52:13

Re: [requests] What would you like to see next on proxmark3 ?

#14 2015-04-23 16:12:13

Re: [requests] What would you like to see next on proxmark3 ?

#15 2015-04-30 16:59:20

Re: [requests] What would you like to see next on proxmark3 ?

#16 2015-05-13 12:19:34

Re: [requests] What would you like to see next on proxmark3 ?

#17 2015-05-13 18:40:01

Re: [requests] What would you like to see next on proxmark3 ?

#18 2015-06-18 20:20:33

Re: [requests] What would you like to see next on proxmark3 ?

#19 2015-06-18 23:00:58

Re: [requests] What would you like to see next on proxmark3 ?

#20 2015-06-22 10:42:46

Re: [requests] What would you like to see next on proxmark3 ?

#21 2015-06-25 02:29:58

Re: [requests] What would you like to see next on proxmark3 ?

#22 2015-06-25 02:31:26

Re: [requests] What would you like to see next on proxmark3 ?

#23 2015-06-25 02:34:33

Re: [requests] What would you like to see next on proxmark3 ?

#24 2015-06-25 09:08:14

Re: [requests] What would you like to see next on proxmark3 ?

#25 2015-06-25 20:56:06

Re: [requests] What would you like to see next on proxmark3 ?

#26 2015-06-25 21:20:34

Re: [requests] What would you like to see next on proxmark3 ?

#27 2015-06-25 22:19:29

Re: [requests] What would you like to see next on proxmark3 ?

#28 2015-06-25 22:31:15

Re: [requests] What would you like to see next on proxmark3 ?

#29 2015-06-25 22:33:57

Re: [requests] What would you like to see next on proxmark3 ?

#30 2015-06-26 08:12:29

Re: [requests] What would you like to see next on proxmark3 ?

#31 2015-06-29 16:46:19

Re: [requests] What would you like to see next on proxmark3 ?

#32 2015-06-29 16:47:59

Re: [requests] What would you like to see next on proxmark3 ?

#33 2015-06-29 17:26:18

Re: [requests] What would you like to see next on proxmark3 ?

#34 2015-06-29 17:52:57

Re: [requests] What would you like to see next on proxmark3 ?

#35 2015-07-06 22:55:50

Re: [requests] What would you like to see next on proxmark3 ?

#36 2015-07-13 10:04:03

Re: [requests] What would you like to see next on proxmark3 ?

#37 2015-07-15 08:54:07

Re: [requests] What would you like to see next on proxmark3 ?

#38 2015-07-22 23:41:48

Re: [requests] What would you like to see next on proxmark3 ?

#39 2015-07-27 05:22:21

Re: [requests] What would you like to see next on proxmark3 ?