Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2015-06-14 19:20:11
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
HF 14A SIM - ntag simulating
I started with enhancing the "hf 14a sim" command to be able to answer some commands for ev1/ntag.
However I can't really test them. Does someone have ntag at home that can test it?
Offline
#2 2015-06-14 22:04:01
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
Why doesn't my reading Pm3 pick up the sent get_version data?!?...
the SIM side..
pm3 --> hf 14a sim t 7 u 04112233445566
Emulating ISO/IEC 14443 type A tag with 7 byte UID (04112233445566)
Press pm3-button to abort simulation
#db# Button press
#db# 0 0 c
pm3 -->
pm3 --> hf li 14a
Recorded Activity (TraceLen = 327 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7056 | 9520 | Rdr |93 20 | | ANTICOLL
10692 | 16580 | Tag |88 04 11 22 bf | |
18696 | 29160 | Rdr |93 70 88 04 11 22 bf b3 f9 | ok | SELECT_UID
30332 | 33852 | Tag |04 da 17 | |
35088 | 37552 | Rdr |95 20 | | ANTICOLL-2
38724 | 44548 | Tag |33 44 55 66 44 | |
46600 | 57064 | Rdr |95 70 33 44 55 66 44 ec a3 | ok | ANTICOLL-2
58236 | 61820 | Tag |00 fe 51 | |
386184 | 394344 | Rdr |1b ff ff ff ff 63 00 | ok | PWD-AUTH KEY: 0xffffffff
395516 | 400252 | Tag |80 80 64 16 | |
88205184 | 88206176 | Rdr |52 | | WUPA
88207412 | 88209780 | Tag |44 00 | |
88212240 | 88214704 | Rdr |93 20 | | ANTICOLL
88215876 | 88221764 | Tag |88 04 11 22 bf | |
88223880 | 88234344 | Rdr |93 70 88 04 11 22 bf b3 f9 | ok | SELECT_UID
88235516 | 88239036 | Tag |04 da 17 | |
88240272 | 88242736 | Rdr |95 20 | | ANTICOLL-2
88243908 | 88249732 | Tag |33 44 55 66 44 | |
88251784 | 88262248 | Rdr |95 70 33 44 55 66 44 ec a3 | ok | ANTICOLL-2
88263420 | 88267004 | Tag |00 fe 51 | |
88599696 | 88603312 | Rdr |60 f8 32 | ok | EV1 VERSION
88604484 | 88616132 | Tag |00 04 04 02 01 00 11 03 01 9e | ok |
pm3 -->the READER side..
pm3 --> hf 14a raw -s -c 60
received 7 octets
04 11 22 33 44 55 66
received 1 octets
00
pm3 --> hf li 14a
Recorded Activity (TraceLen = 155 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass - Timings are not as accurate
Start | End | Src | Data (! denotes parity error) | CRC | Annotation |
------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
0 | 992 | Rdr |52 | | WUPA
2228 | 4596 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10676 | 16564 | Tag |88 04 11 22 bf | |
18688 | 29152 | Rdr |93 70 88 04 11 22 bf b3 f9 | ok | SELECT_UID
30324 | 33844 | Tag |04 da 17 | |
35072 | 37536 | Rdr |95 20 | | ANTICOLL-2
38708 | 44532 | Tag |33 44 55 66 44 | |
46592 | 57056 | Rdr |95 70 33 44 55 66 44 ec a3 | ok | ANTICOLL-2
58228 | 61812 | Tag |00 fe 51 | |
394496 | 398112 | Rdr |60 f8 32 | ok | EV1 VERSION
399284 | 399540 | Tag |00! | |
pm3 -->Offline
#3 2015-06-14 22:05:09
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
And yes, the sim handles a 0x1B authenticate but I cut it out from the reader side output..
Offline
#4 2015-06-14 22:22:04
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
found it...
Offline
#5 2015-06-15 03:31:39
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: HF 14A SIM - ntag simulating
I have a few ntags, ev1s, let me know what you'd like to see.
Offline
#6 2015-06-15 07:23:42
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
Its in my fork, if you can compare the outputs from a proper ntag 215, and the "hf 14a sim t 7 u xxxxxxxxx"
At the moment the read_signature is not implemented but i'll do that sooner or later.
Offline
#7 2015-06-15 13:57:02
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
@marshmellow, if u try now, is the output from a sim/read much different from a proper ntag215?
Offline
#8 2015-06-15 15:59:32
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
The "hf 14a sim" can now simulate a NTAG215 
the "hf mfu info" and "hf 14a reader" thinks its a ntag... Sooooo... this means we can trick the amiibo reader..
and simulate different UID and collect its PWD's.. scriptwise
now, who has a amiibo reader?!?!"?
Offline
#9 2015-06-15 16:20:42
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: HF 14A SIM - ntag simulating
Iceman you rock!!
Offline
#10 2015-06-15 20:30:40
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
No, the people who wrote the original "hf 14a sim" rocks. I'm just standing on shoulders of giants.
Offline
#11 2015-06-21 04:51:40
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: HF 14A SIM - ntag simulating
it appears the crc calc for the mifare block read command is wrong in the 14a sim:
1077812 | 1082516 | Rdr |30 02 10 8b | ok | READBLOCK(2)
1085544 | 1106344 | Tag |00 48 0f e0 e1 10 12 00 03 00 fe 00 00 00 00 00 | |
| | |00 8d | !crc|real tag:
34285168 | 34289872 | Rdr |30 02 10 8b | ok | READBLOCK(2)
34291108 | 34311908 | Tag |38 48 00 00 e1 10 3e 00 03 00 fe 00 00 00 00 00 | |
| | |77 93 | ok |also did you include the CHK_TEARING command?
Offline
#12 2015-06-21 04:56:40
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: HF 14A SIM - ntag simulating
also the signature is tied to the UID so if the UID used to sim is different than the tag you got the signature from then it should fail.
Offline
#13 2015-06-21 06:42:38
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: HF 14A SIM - ntag simulating
to fix the crc errors the following lines need to be changed to:
1171 - ComputeCrc14443(CRC_14443_A, blockdata+start, 16, blockdata+start+16, blockdata+start+17);
1174 - ComputeCrc14443(CRC_14443_A, blockzeros,16, blockzeros+16,blockzeros+17);
1187 - ComputeCrc14443(CRC_14443_A, blockzeros,len, blockzeros+len, blockzeros+len+1);
1197 - ComputeCrc14443(CRC_14443_A, data, 32, data+32, data+33);
1202 - ComputeCrc14443(CRC_14443_A, data, 3, data+3, data+4);it looks like there might be a memory issue as well, as one of my readers will cause a pm3 crash/reboot every time. (possibly overloads the memory?) it tries to read off all the memory of a ntag 215.
Last edited by marshmellow (2015-06-21 06:43:53)
Offline
#14 2015-06-21 10:38:40
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
CHK_TEARING is not impl.
Signature is connected with uid, hm, of course it should fail. However this simulation can't perform a elliptic curve calculation with the key from NXP either. This impl just answers with a signature taken from a tag and hopes that the reader doesn't do ecc calcs either. If someone can get their hands on NXP's private key it would be possible to simulate it correct.
I'm fixing the crc and impl tearing,
will have to look into the read all memory thing, at the momemt it just returns 16zeros for all read blocks above 4 for the plain read command..
but for fast read it could pop the empty array limits..
Offline
#15 2015-06-22 09:20:24
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
The CRC is ok now, thanks @marshmellow for finding/testing
The fast read has a solution, thanks @marshmellow for finding/testing
I also implemented the command CHECK_TEARING.
and the READ/FASTREAD commands now takes its data from the emulator memory. Ie you need to eload a dump first if you want the simulation to work accordingly ..
edit:
a simple impl of "increse counter" command is done.
TODO:
----------
* increase counters
* "hf 14a sim x" extention to print password.
* eload/esave for mfu commands.
we need a better format now. the old bin files is just not enough.
either ascii/json/xml kind of format where we can save "GET_VERSION, SIGNATURE, PASSWORD, PACK" etc together with the tag data.
finally Marshmellow, tested the new sim functionality and I qoute "NXP's tag info totally fooled into thinking the pm3 was my original tag." which is a good thing.
It opens up for new testing/analysing possibilities of ticketing systems
Last edited by iceman (2015-06-22 18:44:48)
Offline
#16 2015-06-22 18:43:37
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
@marshmellow can you try out the changes I did to the "hf 14a sim t 7"?
against a proper reader:
---
hf 14a sim t 7
hf 14a sim t 7 x
Offline
#17 2015-06-22 19:06:26
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: HF 14A SIM - ntag simulating
@iceman i pushed a new fork (boy will i be glad when all my pull requests are accepted and i can merge all my branches...) ntag_simtest
i copied your fork in the first commit and made a few modifications in the last commit:
I implemented a script to convert the mfu dump .bin to .eml
I implemented option 'u' in the hf mf eload u <filename> for mifare ultralight types (4 byte blocks instead of 16 byte blocks)
I adjusted some items in the 14a sim itself.
and the result is the code i used to get a completely fooled nxp tag info:
** TagInfo scan (version 3.0) 2015-06-22 11:33:48 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
NTAG215
-- NDEF ------------------------------
# No NFC data set available:
# NDEF Capability Container (CC):
Mapping version: 1.0
Maximum NDEF data size: 496 bytes
NDEF access: Read & Write
E1 10 3E 00 |..>. |
-- EXTRA ------------------------------
# Memory size:
504 bytes user memory
* 126 pages, with 4 bytes per page
# IC detailed information:
Full product name: NT2H1511G0DUx
Capacitance: 50 pF
# Version information:
Vendor ID: NXP
Type: NTAG
Subtype: 50 pF
Major version: 1
Minor version: V0
Storage size: 504 bytes
Protocol: ISO/IEC 14443-3
# Configuration information:
ASCII mirror disabled
NFC counter: disabled (no tearing)
No limit on wrong password attempts
Strong load modulation enabled
# Originality check:
Signature verified with NXP public key
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.MifareUltralight, android.nfc.tech.NfcA, android.nfc.tech.Ndef, android.nfc.tech.Ndef]
android.nfc.tech.Ndef
android.nfc.tech.MifareUltralight
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 24576 ms
# Detailed protocol information:
ID: 04:6C:BB:9A:1D:3E:81
ATQA: 0x4400
SAK: 0x00
# Memory content:
[00] * 04:6C:BB 5B (UID0-UID2, BCC0)
[01] * 9A:1D:3E:81 (UID3-UID6)
[02] . 38 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] . E1:10:3E:00 (OTP0-OTP3)
[04] . 03 00 FE 00 |....|
[05] . 00 00 00 00 |....|
[06] . 00 00 00 00 |....|
[07] . 00 00 00 00 |....|
[08] . 00 00 00 00 |....|
[09] . 00 00 00 00 |....|
[0A] . 00 00 00 00 |....|
[0B] . 00 00 00 00 |....|
[0C] . 00 00 00 00 |....|
[0D] . 00 00 00 00 |....|
[0E] . 00 00 00 00 |....|
[0F] . 00 00 00 00 |....|
[10] . 00 00 00 00 |....|
[11] . 00 00 00 00 |....|
[12] . 00 00 00 00 |....|
[13] . 00 00 00 00 |....|
[14] . 00 00 00 00 |....|
[15] . 00 00 00 00 |....|
[16] . 00 00 00 00 |....|
[17] . 00 00 00 00 |....|
[18] . 00 00 00 00 |....|
[19] . 00 00 00 00 |....|
[1A] . 00 00 00 00 |....|
[1B] . 00 00 00 00 |....|
[1C] . 00 00 00 00 |....|
[1D] . 00 00 00 00 |....|
[1E] . 00 00 00 00 |....|
[1F] . 00 00 00 00 |....|
[20] . 00 00 00 00 |....|
[21] . 00 00 00 00 |....|
[22] . 00 00 00 00 |....|
[23] . 00 00 00 00 |....|
[24] . 00 00 00 00 |....|
[25] . 00 00 00 00 |....|
[26] . 00 00 00 00 |....|
[27] . 00 00 00 00 |....|
[28] . 00 00 00 00 |....|
[29] . 00 00 00 00 |....|
[2A] . 00 00 00 00 |....|
[2B] . 00 00 00 00 |....|
[2C] . 00 00 00 00 |....|
[2D] . 00 00 00 00 |....|
[2E] . 00 00 00 00 |....|
[2F] . 00 00 00 00 |....|
[30] . 00 00 00 00 |....|
[31] . 00 00 00 00 |....|
[32] . 00 00 00 00 |....|
[33] . 00 00 00 00 |....|
[34] . 00 00 00 00 |....|
[35] . 00 00 00 00 |....|
[36] . 00 00 00 00 |....|
[37] . 00 00 00 00 |....|
[38] . 00 00 00 00 |....|
[39] . 00 00 00 00 |....|
[3A] . 00 00 00 00 |....|
[3B] . 00 00 00 00 |....|
[3C] . 00 00 00 00 |....|
[3D] . 00 00 00 00 |....|
[3E] . 00 00 00 00 |....|
[3F] . 00 00 00 00 |....|
[40] . 00 00 00 00 |....|
[41] . 00 00 00 00 |....|
[42] . 00 00 00 00 |....|
[43] . 00 00 00 00 |....|
[44] . 00 00 00 00 |....|
[45] . 00 00 00 00 |....|
[46] . 00 00 00 00 |....|
[47] . 00 00 00 00 |....|
[48] . 00 00 00 00 |....|
[49] . 00 00 00 00 |....|
[4A] . 00 00 00 00 |....|
[4B] . 00 00 00 00 |....|
[4C] . 00 00 00 00 |....|
[4D] . 00 00 00 00 |....|
[4E] . 00 00 00 00 |....|
[4F] . 00 00 00 00 |....|
[50] . 00 00 00 00 |....|
[51] . 00 00 00 00 |....|
[52] . 00 00 00 00 |....|
[53] . 00 00 00 00 |....|
[54] . 00 00 00 00 |....|
[55] . 00 00 00 00 |....|
[56] . 00 00 00 00 |....|
[57] . 00 00 00 00 |....|
[58] . 00 00 00 00 |....|
[59] . 00 00 00 00 |....|
[5A] . 00 00 00 00 |....|
[5B] . 00 00 00 00 |....|
[5C] . 00 00 00 00 |....|
[5D] . 00 00 00 00 |....|
[5E] . 00 00 00 00 |....|
[5F] . 00 00 00 00 |....|
[60] . 00 00 00 00 |....|
[61] . 00 00 00 00 |....|
[62] . 00 00 00 00 |....|
[63] . 00 00 00 00 |....|
[64] . 00 00 00 00 |....|
[65] . 00 00 00 00 |....|
[66] . 00 00 00 00 |....|
[67] . 00 00 00 00 |....|
[68] . 00 00 00 00 |....|
[69] . 00 00 00 00 |....|
[6A] . 00 00 00 00 |....|
[6B] . 00 00 00 00 |....|
[6C] . 00 00 00 00 |....|
[6D] . 00 00 00 00 |....|
[6E] . 00 00 00 00 |....|
[6F] . 00 00 00 00 |....|
[70] . 00 00 00 00 |....|
[71] . 00 00 00 00 |....|
[72] . 00 00 00 00 |....|
[73] . 00 00 00 00 |....|
[74] . 00 00 00 00 |....|
[75] . 00 00 00 00 |....|
[76] . 00 00 00 00 |....|
[77] . 00 00 00 00 |....|
[78] . 00 00 00 00 |....|
[79] . 00 00 00 00 |....|
[7A] . 00 00 00 00 |....|
[7B] . 00 00 00 00 |....|
[7C] . 00 00 00 00 |....|
[7D] . 00 00 00 00 |....|
[7E] . 00 00 00 00 |....|
[7F] . 00 00 00 00 |....|
[80] . 00 00 00 00 |....|
[81] . 00 00 00 00 |....|
[82] . 00 00 00 BD (LOCK2-LOCK4, CHK)
[83] . 04 00 00 FF (CFG, MIRROR, AUTH0)
[84] . 00 05 -- -- (ACCESS)
[85] +P FF FF FF FF (PWD0-PWD3)
[86] +P 80 80 -- -- (PACK0-PACK1)
*:locked & blocked, x:locked,
+:blocked, .:un(b)locked, ?:unknown
r:readable (write-protected),
p:password protected, -:write-only
P:password protected write-only
--------------------------------------the only difference between this and the actual tag is the 8080 pack
overall - great job iceman!
Last edited by marshmellow (2015-06-22 19:12:28)
Offline
#18 2015-06-22 19:13:44
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
he he, I just added the "hf mfu eload" and was thinking on how to imp it. Now I can take yr code 
And yes, its time some ppl started to merge the pull requests but that is for another thread.
*edit*
Saw yr script, great!
however a dump file is not enough to make a good sim. We need some extra info.
This raises the question of the dump format once again.
A json-format maybe?
Last edited by iceman (2015-06-22 19:25:29)
Offline
#19 2015-06-22 19:52:01
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: HF 14A SIM - ntag simulating
A mfu eload is probably the right way to go, I was lazy and added it to the mf eload...
Yes we are missing the Sig data, the pack and counters/tearing?
Add them to the end? Simpler the better for file formats...
Offline
#20 2015-06-22 20:12:54
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
Tearing is just interesting if the sim shall tell the reader something is wrong with the counter and we don't want that..
json ::
{
uid {} tag -size- type-
data {nn,nn,nn,nn}
signature{nn,nn,nn,}
counter{1,xx; 2,xx 3,xx}
pwd {}
pack{}
}
xml... well we all know have that looks like..
ascii/emul.. well.. there need to be some lines telling what it is the extra bytes in the end..
Offline
#21 2015-06-22 20:13:54
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
Maybe we start an other thread for this new dump format.. there was some discussions on the github before about it.
but then it was about mifare classic only..
Offline
#22 2015-06-27 19:30:24
- borjaburgos
- Contributor
- From: New York, New York
- Registered: 2011-07-05
- Posts: 38
Re: HF 14A SIM - ntag simulating
Hey Marshmellow, does your branch also have iceman's NTAG sim? I cannot get his to compile on Linux/OSX unfortunately.
Iceman, Marshmellow, I'm going to be around all day in the IRC today if any of you are around.
Thanks for the amazing work.
Offline
#23 2015-06-27 19:32:13
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,538
- Website
Re: HF 14A SIM - ntag simulating
if you take Marshmellows ntag_branch it has my ntag-sim plus his eload..
Offline
#24 2015-06-27 19:40:21
- borjaburgos
- Contributor
- From: New York, New York
- Registered: 2011-07-05
- Posts: 38
Re: HF 14A SIM - ntag simulating
I see the ntag_branch now, thank iceman! I'll try that. I'll spend sometime today with the proxmark simulating an amiibo against the Nintendo Wii U / New 3DS and report results.
Offline
Pages: 1