Proxmark3 community

ntk

Contributor

Registered: 2015-05-24

Posts: 701

need help for understanding "send raw command"

For a newbie “send raw command” exists in both HF and LF area it seems to be very important & very necessary tool . So I would like to understand usage of “send raw command”. 

I have two questions:

Question One:

Could someone point for me useful practical literature to learn why/when/how to effectively use this “send raw command”.

The little bit of help file, google shows only few patching threads and PM3 forum search bring up a lot of  “raw” related issues but not specific for understanding why/when/how to use

Question Two:

In one thread in 2014, Asper, Jonor and other talked about a response timing issue, which made raw not function properly.

I check out latest google SW. I see in void iso14443a_setup(uint8_t fpga_minor_mode) the function call

iso14a_set_timeout(1050); instead of 10000.

Is that timing issue fixed somewhere else already, or to use send raw command you must use a branch?

Thank you for reading.

and sorry for too long post.

Last edited by ntk (2015-06-19 18:23:08)

asper

Contributor

Registered: 2008-08-24

Posts: 1,409

Re: need help for understanding "send raw command"

1) Raw commands are necessary if you want to communicate with a tag using it's own commands; if a tag is fully implemented in pm3 command structure it will be easier to use the already-made pm3 client commands insted of raw commands.
Using raw you manually send each specific byte (or part of it) adding data and eventually CRC just like the reader will do but it is boring and annoying becasue to have an answer sometime you need to send 3/4 raw commands while with pm3 command set you just need to lauch one !
Raw commands can turn useful when you are exploring a new kind of tag in which you know the commands because you read the specific datasheet but no one already implemented a pm3 command to manage it easier.
You can consider the raw commands a kind of RFID MoDem (pm3 can handle raw commands while mobile phones nfc chip are not able to use raw because the "rawness" is inside the chip that is digitally signed at factory and you cannot modify it).

Example:

     Start |       End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |          
-----------|-----------|-----|-----------------------------------------------------------------|-----|--------------------|          
     -6993 |     -6993 | Rdr | 06  00 [97  5b]                                                 |  ok | INITIATE          
     -6993 |     -6993 | Tag | 33 [60  f3]                                                     |  ok |           
     -6993 |     -6993 | Rdr | 0e  33 [4f  96]                                                 |  ok | SELECT(51)          
     -6993 |     -6993 | Tag | 33 [60  f3]                                                     |  ok |           
     -6993 |     -6993 | Rdr | 0b [ab  4e]                                                     |  ok | GET UID          
     -6993 |     -6993 | Tag | 29  74  91  78  24  18  02  d0 [85  b0]                         |  ok |           

   
The above ones are the bytes sent and received by the tag: to get the UID of a SRIX4K you need to send 3 raw commands, INITIATE, SELECT and GET_UID (and read their answers because some commands/answers are linked!). With PM3 you can program a command that will do it for you saving lot of time ! Between [] there is the CRC, that you can manually calculate or making the pm3 client calculate for you using a specific parameter.

To obtain the above trace you need to send:

proxmark3> hf 14b raw -c -p 06 00
received 3 octets          
33 60 f3         
CRC OK          
proxmark3> 

proxmark3> hf 14b raw -c -p 0E 33
received 3 octets          
33 60 f3          
CRC OK          
proxmark3> 

proxmark3> hf 14b raw -c -p 0B
received 10 octets          
29  74  91  78  24  18  02  d0         
CRC OK
proxmark3>

     
To know the exact command function and syntax you necessarily need to read the specific chip datasheet !

Here it is a datasheet example of SRIX4K GET_UID command:

2) The timing issue should be solved; only ISO14443B raw commands are not fully supported in my 2.0.0 release but very good people are making it in a working state again ! If you need to use ISO14443B commands you need to use branches until I will release an updated firmware/client version greater than 2.0.0.

Last edited by asper (2015-06-19 18:55:52)

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: need help for understanding "send raw command"

that is a very great lesson and very quick.

Thank you very much Asper.

"when you are exploring a new kind of tag in which you know the commands because you read the specific datasheet but no one already implemented a pm3 command for it " My hunch for treasure was right. I will study that. If you find more practical example document and think it would be helpful for my understanding, please send along.

Thanks again.

2/ Thank for the hint reg ISO14443B raw command still not fully working. But no, i don't intend to use the command yet on any card. I only have Q5 (Sep/2005) , T55x7, EM4100, mifare ultraslim, mifare classic 1K. That's all.

I know Legic Card is ISO14443b but have no idea yet how to come across one to play with.

I want to know and to undertand the tool first.

asper

Contributor

Registered: 2008-08-24

Posts: 1,409

Re: need help for understanding "send raw command"

Legic Prime (older tags) is not ISO14443B, it was ISO14443 annex F but was rejected so it is not contained in ISO standards (search for "100616.EUSecWest.LegicPrime.pdf" for further detailed info). Legic Advant (newer tags) can be ISO14443A or ISO15693.

About other examples you need to read the specific tag datasheet and remember that Mifare are not FULL-ISO14443A compliant but use a proprietary protocol with proprietary commands.
You can find many traces/lists here in the forum (one is also shown in the proxmark.org logo ! Look at those bytes in the beckground of the picture: they represents a mifare ANTICOLL and SELECT_UID example).

Or here you can see raw commands sent to "talk" to a mifare (jonr example) without list annotations because they were not implemented yet:

hf 14a raw -p -b 7 -a 26
hf 14a raw -p 93 20
hf 14a raw -p -c 93 70 16 15 CA 34 FF 
hf 14a raw -p -c 60 00

proxmark3> hf list 14a
recorded activity:          
 ETU     :rssi: who bytes          
---------+----+----+-----------          
 +      0:    :     26              
 +    236:   0: TAG 04  00              
 +      0:    :     93  20              
 +    452:   0: TAG 16  15  CA  34  ff              
 +      0:    :     93  70  16  15  ca  34  ff  e8  5c
 +    308:   0: TAG 08  b6  dd              
 +      0:    :     60  00  f5  7b              
 +    428:   0: TAG 2c  cc  c3  58              

26 = REQA (7bits! Note the -b 7 option used!)
93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor)
93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK)
60 = Attempt to authenticate with KeyA

With latest code additions now traces has a very descriptive column in the right (called "Annotation"), as you can see in my example in my previous answer, where you can read the raw commands used by the reader and tag answers !

Remember also that a very small amount of commands are 7 bits and not 8: for a exausthive list (without params and crcs) you can read this post.

Last edited by asper (2015-06-19 23:17:47)

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: need help for understanding "send raw command"

I realize the number "93 20" for anticollision; before that reader must have sent "26" REQA, then 93 70 for SELECT  in he background of Proxmark.org logo now.

Thank you It will take me sometimes to read related docs and understand all this

But very much thank you for now.

asper

Contributor

Registered: 2008-08-24

Posts: 1,409

Re: need help for understanding "send raw command"

I realize the number "93 20" for anticollision; before that reader must have sent "26" REQA, then 93 70 for SELECT  in the background of Proxmark.org logo now.

Correct.

But very much thank you for now.

You are welcome

Last edited by asper (2015-06-19 23:16:51)

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: need help for understanding "send raw command"

I am kind of understand send raw commands now. I think of doing practice on HID card , mifare classic 1K and the mifare ultra light card all came with the proxmark3 unit. Do you think it makes sense, those are only blank cards... What else cards can I use to study the raw commands in this section ISO14443a/b? and in LF sections?

I have one more question before practice, from where have you learnt that to "get UID" you have to do 3 steps
initiate/ then select/ then get UID for SRIX4K?

I have read the document CD0003700.pdf. It describes all 10 commands, but it does not tell you to do certain job, like to get UID, you have to do the sequence of 3 commands and it has to be in that logical order; (the logic sequence does make sense, but only after you told me)

Which words you have to search for specifically, to get to the magic documents which give you information about sequence of raw commands, details of raw command and details of the answers coming back from a chip?

For example T55x7 is fully implemented for read write, so when I pretend T55x7 is my unknown chip, it would be helpful to give me check what I send raw to the T55x7 chip is doing correctly what I expect. But when I google "+commands T55x7 T5555 +pdf" none pdf document with similar content like CD*.pdf for SYRIX4K, comes up. For history the pdf for SRIX4k I could only locate thanks to your link.

Thank you for reading.

And sorry for bothering you on a Sunday

Last edited by ntk (2015-06-21 14:26:00)

asper

Contributor

Registered: 2008-08-24

Posts: 1,409

Re: need help for understanding "send raw command"

I have one more question before practice, from where have you learnt that to "get UID" you have to do 3 steps
initiate/ then select/ then get UID for SRIX4K?

I have read the document CD0003700.pdf. It describes all 10 commands, but it does not tell you to do certain job, like to get UID, you have to do the sequence of 3 commands and it has to be in that logical order; (the logic sequence does make sense, but only after you told me)

Which words you have to search for specifically, to get to the magic documents which give you information about sequence of raw commands, details of raw command and details of the answers coming back from a chip?

You did not read the ISO14443B datasheet and SRIX4K datasheet in details, it is all explained there.
You 1st need to see which card is in the field, then, after a card/tag answered, you need to select it and then to ask it's UID.
Study harder

About mifare you need to read ISO14443A datasheet and then mifare specific datasheet.

The same things for other cards, 1st study the protocol if it is standard and/or already described somewhere then read specific tag datasheet.

Last edited by asper (2015-06-21 18:26:00)

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: need help for understanding "send raw command"

so staying for example on the chip SRIX4K you have
http://www.st.com/web/en/resource/technical/document/datasheet/CD00003007.pdf
or same with different name
http://www.zotei.com/files/smart_card/SRIX4K_IC_datasheet.pdf etc.

you have to understand the state transition diagram, then through chapter 6 "SRIX4K states" you can work out the correct logic sequence, like in this picture
http://www.filedropper.com/srix4k

is that what you mean "it is all explained there"? That is why the sequence has to be initiate(), select(X) x from all the answers ,then get_UID() and only be in this order to send raw commands?

Last edited by ntk (2015-06-21 21:13:49)

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: need help for understanding "send raw command"

how come there are so many names for one and same document?

http://www.st.com/st-web-ui/static/active/en/resource/technical/document/application_note/DM00034566.pdf
http://www.st.com/web/en/resource/technical/document/datasheet/CD00003007.pdf
http://www.zotei.com/files/smart_card/SRIX4K_IC_datasheet.pdf
http://www.bdtic.com/DataSheet/ST/SRIX4K.pdf
and etc.

asper

Contributor

Registered: 2008-08-24

Posts: 1,409

Re: need help for understanding "send raw command"

All the info you need (even of your latest questions) are inside datasheets of chip and datasheet of iso standards. It is there where i learnt.

ntk

Contributor

Registered: 2015-05-24

Posts: 701

Re: need help for understanding "send raw command"

Now I understand too what it is about in this following thread
http://www.proxmark.org/forum/viewtopic.php?id=2496

The annotation is great. Congratulations.

... But it is also paradox ...  to reach at the point when one starts to understand
   0 | Tag | 53 [66  90]                                                    |  ok |           
   0 | Rdr | 0e  53 [49  f5]                                                |  ok | SELECT(83)

and the correct manufacturer and chip UID from this response "29  74  91  78  24  18  02  d0 [85  b0] "

it's nice ... and it feels awkward at the same time...

Last edited by ntk (2015-06-22 02:28:18)