Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

Pages: 1

#1 2014-04-03 08:35:21

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Snoop problems with ultralight ?

I tryed to snoop an Ultralight C auth command (using a non-C card because I don't have one) but I have no luck; the reader gives me an error and no data is snooped. So i check if snoop was working fine but I see this:

Recorded Activity         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
All times are in carrier periods (1/13.56Mhz)         
     Start |       End | Src | Data         
-----------|-----------|-----|--------         
         0 |       152 | Rdr | 30  00  02  a8             
250204528 |  -1582740 | Tag | 00! 00  00  00! 00! 00! 00! 2b! d2! 2f! bf  18     !crc         
413636442 | 2145898366 |     |           
1716401874 | 318432127 | Rdr | c2  22  4f  19  00  09  00  00  00  04  30  08  4a  24  b4  4f  19  80  3c  fc  03  00  12  88  88  88  88  99  99  99  99  10  10  10  10  11  11  11  11  df  46  68  df  19  00  0c  00  00  00  04  30  0c  6e  62  00  e0  19  80  c0  c3  03  00  12  12  12  12  12     !crc         

30 is the reading command
00 is the starting block
02 A8 are 2 bytes crc

the answer is weired...

The correct card content is this:

proxmark3> hf mf urdcard
Attempting to Read Ultralight...           
#db# READ CARD FINISHED                 
isOk:01         
Block 00:04 01 02 8f           
Block 01:05 06 07 08           
Block 02:0c 00 00 00           
Block 03:00 00 00 00  [0]         
Block 04:ff ff ff ff  [0]         
Block 05:55 55 55 55  [0]         
Block 06:66 66 66 66  [0]         
Block 07:77 77 77 77  [0]         
Block 08:88 88 88 88  [0]         
Block 09:99 99 99 99  [0]         
Block 0a:10 10 10 10  [0]         
Block 0b:11 11 11 11  [0]         
Block 0c:12 12 12 12  [0]         
Block 0d:13 13 13 13  [0]         
Block 0e:14 14 14 14  [0]         
Block 0f:15 15 15 15  [0]         

Can the antenna positioning be the problem ? I put the ultralight on my reader and over it (1-2 cm) i put pm3 antenna... or maybe there is a snoop function problem ?

I just tested with this pm3 config:

proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 834 2013-11-01 11:34:14                 
#db# os: svn 834 2013-11-01 11:34:18                 
#db# FPGA image built on 2012/ 1/ 6 at 15:27:56


EDIT:

Well using this:
proxmark3> hw version
#db# Prox/RFID mark3 RFID instrument                 
#db# bootrom: svn 698 2013-04-17 10:19:38                 
#db# os: svn 0 2014-03-21 08:15:55                 
#db# FPGA image built on 2014/02/25 at 07:43:59                 
uC: AT91SAM7S256 Rev B         
Embedded Processor: ARM7TDMI         
Nonvolatile Program Memory Size: 256K bytes         
Second Nonvolatile Program Memory Size: None         
Internal SRAM Size: 64K bytes         
Architecture Identifier: AT91SAM7Sxx Series         
Nonvolatile Program Memory Type: Embedded Flash Memory     

it seems to work:

Recorded Activity         
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer         
All times are in carrier periods (1/13.56Mhz)         
     Start |       End | Src | Data         
-----------|-----------|-----|--------         
         0 |      4768 | Rdr | 30  00  02  a8             
      7220 |     28020 | Tag | 04  01  02  8f  05  06  07  08  0c  00  00  00  00  00  00  00  2b  d2             
    613552 |    618256 | Rdr | 30  04  26  ee             
    620772 |    641636 | Tag | ff  ff  ff  ff  55  55  55  55  66  66  66  66  77  77  77  77  43  c2             
   1224944 |   1229648 | Rdr | 30  08  4a  24             
   1232164 |   1253028 | Tag | 88  88  88  88  99  99  99  99  10  10  10  10  11  11  11  11  df  46             
   1836256 |   1841024 | Rdr | 30  0c  6e  62             
   1843476 |   1864340 | Tag | 12  12  12  12  13  13  13  13  14  14  14  14  15  15  15  15  51  c7             

So it is a revision problem... the strange thing is that I cannot sniff the auth command sent by the reader to the ultralight non-c (the card is not going to answer but at least I expected the command to show up...).

Last edited by asper (2014-04-03 08:43:56)

Offline

#2 2014-04-13 19:43:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Snoop problems with ultralight ?

Do we have a snoop implementation for UL or ULC?
Or can I use the hf 14a snoop straight up?

Offline

#3 2014-04-13 19:57:59

midnitesnake
Contributor
Registered: 2012-05-11
Posts: 151

Re: Snoop problems with ultralight ?

I have been using hf 14a list to debug the stuff Ive been doing.
I also am not up-to-date on unstable fpga firmware as i thought the sniff & snoop work was ongoing?

Asper: I to would expect to see the reader send the 1a00 command, even though the card won't respond.

Iceman: As for the hf 14a sniff/snoop commands as its part of the raw iso14443 layer, I expect it should work with no extra coding as the ultralight(C) is manipulating calls a layer above this.

Offline

Pages: 1

Board footer

Powered by FluxBB