Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-06-14 19:20:11

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

HF 14A SIM - ntag simulating

I started with enhancing the "hf 14a sim" command to be able to answer some commands for ev1/ntag.

However I can't really test them.  Does someone have ntag at home that can test it?

Offline

#2 2015-06-14 22:04:01

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

Why doesn't my reading Pm3 pick up the sent get_version data?!?...



the SIM side..

pm3 --> hf 14a sim t 7 u 04112233445566
Emulating ISO/IEC 14443 type A tag with 7 byte UID (04112233445566)
Press pm3-button to abort simulation
#db# Button press
#db# 0 0 c
pm3 -->
pm3 --> hf li 14a
Recorded Activity (TraceLen = 327 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|

          0 |        992 | Rdr |52                                                               |     | WUPA
       2228 |       4596 | Tag |44  00                                                           |     |
       7056 |       9520 | Rdr |93  20                                                           |     | ANTICOLL
      10692 |      16580 | Tag |88  04  11  22  bf                                               |     |
      18696 |      29160 | Rdr |93  70  88  04  11  22  bf  b3  f9                               |  ok | SELECT_UID
      30332 |      33852 | Tag |04  da  17                                                       |     |
      35088 |      37552 | Rdr |95  20                                                           |     | ANTICOLL-2
      38724 |      44548 | Tag |33  44  55  66  44                                               |     |
      46600 |      57064 | Rdr |95  70  33  44  55  66  44  ec  a3                               |  ok | ANTICOLL-2
      58236 |      61820 | Tag |00  fe  51                                                       |     |
     386184 |     394344 | Rdr |1b  ff  ff  ff  ff  63  00                                       |  ok | PWD-AUTH KEY: 0xffffffff

     395516 |     400252 | Tag |80  80  64  16                                                   |     |
   88205184 |   88206176 | Rdr |52                                                               |     | WUPA
   88207412 |   88209780 | Tag |44  00                                                           |     |
   88212240 |   88214704 | Rdr |93  20                                                           |     | ANTICOLL
   88215876 |   88221764 | Tag |88  04  11  22  bf                                               |     |
   88223880 |   88234344 | Rdr |93  70  88  04  11  22  bf  b3  f9                               |  ok | SELECT_UID
   88235516 |   88239036 | Tag |04  da  17                                                       |     |
   88240272 |   88242736 | Rdr |95  20                                                           |     | ANTICOLL-2
   88243908 |   88249732 | Tag |33  44  55  66  44                                               |     |
   88251784 |   88262248 | Rdr |95  70  33  44  55  66  44  ec  a3                               |  ok | ANTICOLL-2
   88263420 |   88267004 | Tag |00  fe  51                                                       |     |
   88599696 |   88603312 | Rdr |60  f8  32                                                       |  ok | EV1 VERSION
   88604484 |   88616132 | Tag |00  04  04  02  01  00  11  03  01  9e                           |  ok |
pm3 -->

the READER side..

pm3 --> hf 14a raw -s -c 60
received 7 octets
04 11 22 33 44 55 66
received 1 octets
00
pm3 --> hf li 14a
Recorded Activity (TraceLen = 155 bytes)

Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate

      Start |        End | Src | Data (! denotes parity error)                                   | CRC | Annotation         |

------------|------------|-----|-----------------------------------------------------------------|-----|--------------------|

          0 |        992 | Rdr |52                                                               |     | WUPA
       2228 |       4596 | Tag |44  00                                                           |     |
       7040 |       9504 | Rdr |93  20                                                           |     | ANTICOLL
      10676 |      16564 | Tag |88  04  11  22  bf                                               |     |
      18688 |      29152 | Rdr |93  70  88  04  11  22  bf  b3  f9                               |  ok | SELECT_UID
      30324 |      33844 | Tag |04  da  17                                                       |     |
      35072 |      37536 | Rdr |95  20                                                           |     | ANTICOLL-2
      38708 |      44532 | Tag |33  44  55  66  44                                               |     |
      46592 |      57056 | Rdr |95  70  33  44  55  66  44  ec  a3                               |  ok | ANTICOLL-2
      58228 |      61812 | Tag |00  fe  51                                                       |     |
     394496 |     398112 | Rdr |60  f8  32                                                       |  ok | EV1 VERSION
     399284 |     399540 | Tag |00!                                                              |     |
pm3 -->

Offline

#3 2015-06-14 22:05:09

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

And yes,  the sim handles a 0x1B authenticate  but I cut it out from the reader side output..

Offline

#4 2015-06-14 22:22:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

found it...

Offline

#5 2015-06-15 03:31:39

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: HF 14A SIM - ntag simulating

I have a few ntags, ev1s, let me know what you'd like to see.

Offline

#6 2015-06-15 07:23:42

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

Its in my fork,  if you can compare the outputs from a proper ntag 215,  and the "hf 14a sim t 7 u xxxxxxxxx"
At the moment the read_signature is not implemented but i'll do that sooner or later.

Offline

#7 2015-06-15 13:57:02

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

@marshmellow,   if u try now,  is the output from a sim/read  much different from a proper ntag215?

Offline

#8 2015-06-15 15:59:32

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

The "hf 14a sim"  can now simulate a NTAG215  smile 
the "hf mfu info"  and "hf 14a reader" thinks its a ntag...    Sooooo...  this means we can trick the amiibo reader..
and simulate different UID and collect its PWD's..    scriptwise  smile

now,  who has a amiibo reader?!?!"?

Offline

#9 2015-06-15 16:20:42

asper
Contributor
Registered: 2008-08-24
Posts: 1,409

Re: HF 14A SIM - ntag simulating

Iceman you rock!!

Offline

#10 2015-06-15 20:30:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

No, the people who wrote the original "hf 14a sim" rocks.   I'm just standing on shoulders of giants.

Offline

#11 2015-06-21 04:51:40

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: HF 14A SIM - ntag simulating

it appears the crc calc for the mifare block read command is wrong in the 14a sim:

    1077812 |    1082516 | Rdr |30  02  10  8b                                                   |  ok | READBLOCK(2)
    1085544 |    1106344 | Tag |00  48  0f  e0  e1  10  12  00  03  00  fe  00  00  00  00  00   |     |
            |            |     |00  8d                                                           | !crc|

real tag:

   34285168 |   34289872 | Rdr |30  02  10  8b                                                   |  ok | READBLOCK(2)
   34291108 |   34311908 | Tag |38  48  00  00  e1  10  3e  00  03  00  fe  00  00  00  00  00   |     |
            |            |     |77  93                                                           |  ok |

also did you include the CHK_TEARING command?

Offline

#12 2015-06-21 04:56:40

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: HF 14A SIM - ntag simulating

also the signature is tied to the UID so if the UID used to sim is different than the tag you got the signature from then it should fail.

Offline

#13 2015-06-21 06:42:38

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: HF 14A SIM - ntag simulating

to fix the crc errors the following lines need to be changed to:

1171 -  ComputeCrc14443(CRC_14443_A, blockdata+start, 16, blockdata+start+16, blockdata+start+17);
1174 -  ComputeCrc14443(CRC_14443_A, blockzeros,16, blockzeros+16,blockzeros+17);
1187 -  ComputeCrc14443(CRC_14443_A, blockzeros,len, blockzeros+len, blockzeros+len+1);
1197 -  ComputeCrc14443(CRC_14443_A, data, 32, data+32, data+33);
1202 -  ComputeCrc14443(CRC_14443_A, data, 3, data+3, data+4);

it looks like there might be a memory issue as well, as one of my readers will cause a pm3 crash/reboot every time.  (possibly overloads the memory?)  it tries to read off all the memory of a ntag 215.

Last edited by marshmellow (2015-06-21 06:43:53)

Offline

#14 2015-06-21 10:38:40

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

CHK_TEARING is not impl.
Signature is connected with uid, hm,  of course it should fail. However this simulation can't perform a elliptic curve calculation with the key from NXP either.  This impl just answers with a signature taken from a tag and hopes that the reader doesn't do ecc calcs either.  If someone can get their hands on NXP's private key it would be possible to simulate it correct.


I'm fixing the crc and impl tearing,
will have to look into the read all memory thing,  at the momemt it just returns 16zeros for all read blocks above 4 for the plain read command..
but for fast read it could pop the empty array limits..

Offline

#15 2015-06-22 09:20:24

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

The CRC is ok now,  thanks @marshmellow for finding/testing
The fast read has a solution,  thanks @marshmellow for finding/testing

I also implemented the command CHECK_TEARING.
and the READ/FASTREAD commands now takes its data from the emulator memory.  Ie you need to eload a dump first if you want the simulation to work accordingly ..

edit:
a simple impl of "increse counter" command is done.

TODO:
----------
* increase counters 
* "hf 14a sim x" extention to print password.
* eload/esave for mfu commands.
   we need a better format now.  the old bin files is just not enough.
either ascii/json/xml  kind of format where we can save "GET_VERSION, SIGNATURE, PASSWORD, PACK" etc together with the tag data.


finally Marshmellow, tested the new sim functionality and I qoute "NXP's tag info totally fooled into thinking the pm3 was my original tag." which is a good thing.

It opens up for new testing/analysing possibilities of ticketing systems smile

Last edited by iceman (2015-06-22 18:44:48)

Offline

#16 2015-06-22 18:43:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

@marshmellow  can you try out the changes I did to the "hf 14a sim t 7"?

against a proper reader:
---
hf 14a sim t 7
hf 14a sim t 7 x

Offline

#17 2015-06-22 19:06:26

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: HF 14A SIM - ntag simulating

@iceman i pushed a new fork (boy will i be glad when all my pull requests are accepted and i can merge all my branches...)  ntag_simtest
i copied your fork in the first commit and made a few modifications in the last commit: 

I implemented a script to convert the mfu dump .bin to .eml
I implemented option 'u' in the hf mf eload u <filename> for mifare ultralight types (4 byte blocks instead of 16 byte blocks)
I adjusted some items in the 14a sim itself.
and the result is the code i used to get a completely fooled nxp tag info:

** TagInfo scan (version 3.0) 2015-06-22 11:33:48 **

-- INFO ------------------------------

# IC manufacturer:
NXP Semiconductors

# IC type:
NTAG215

-- NDEF ------------------------------

# No NFC data set available:

# NDEF Capability Container (CC):
Mapping version: 1.0
Maximum NDEF data size: 496 bytes
NDEF access: Read & Write
E1 10 3E 00                                     |..>.            |

-- EXTRA ------------------------------

# Memory size:
504 bytes user memory
* 126 pages, with 4 bytes per page

# IC detailed information:
Full product name: NT2H1511G0DUx
Capacitance: 50 pF

# Version information:
Vendor ID: NXP
Type: NTAG
Subtype: 50 pF
Major version: 1
Minor version: V0
Storage size: 504 bytes
Protocol: ISO/IEC 14443-3

# Configuration information:
ASCII mirror disabled
NFC counter: disabled (no tearing)
No limit on wrong password attempts
Strong load modulation enabled

# Originality check:
Signature verified with NXP public key


-- TECH ------------------------------

# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.MifareUltralight, android.nfc.tech.NfcA, android.nfc.tech.Ndef, android.nfc.tech.Ndef]
android.nfc.tech.Ndef
android.nfc.tech.MifareUltralight
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 24576 ms


# Detailed protocol information:
ID: 04:6C:BB:9A:1D:3E:81
ATQA: 0x4400
SAK: 0x00

# Memory content:
[00] *  04:6C:BB 5B (UID0-UID2, BCC0)
[01] *  9A:1D:3E:81 (UID3-UID6)
[02] .  38 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] .  E1:10:3E:00 (OTP0-OTP3)
[04] .  03 00 FE 00 |....|
[05] .  00 00 00 00 |....|
[06] .  00 00 00 00 |....|
[07] .  00 00 00 00 |....|
[08] .  00 00 00 00 |....|
[09] .  00 00 00 00 |....|
[0A] .  00 00 00 00 |....|
[0B] .  00 00 00 00 |....|
[0C] .  00 00 00 00 |....|
[0D] .  00 00 00 00 |....|
[0E] .  00 00 00 00 |....|
[0F] .  00 00 00 00 |....|
[10] .  00 00 00 00 |....|
[11] .  00 00 00 00 |....|
[12] .  00 00 00 00 |....|
[13] .  00 00 00 00 |....|
[14] .  00 00 00 00 |....|
[15] .  00 00 00 00 |....|
[16] .  00 00 00 00 |....|
[17] .  00 00 00 00 |....|
[18] .  00 00 00 00 |....|
[19] .  00 00 00 00 |....|
[1A] .  00 00 00 00 |....|
[1B] .  00 00 00 00 |....|
[1C] .  00 00 00 00 |....|
[1D] .  00 00 00 00 |....|
[1E] .  00 00 00 00 |....|
[1F] .  00 00 00 00 |....|
[20] .  00 00 00 00 |....|
[21] .  00 00 00 00 |....|
[22] .  00 00 00 00 |....|
[23] .  00 00 00 00 |....|
[24] .  00 00 00 00 |....|
[25] .  00 00 00 00 |....|
[26] .  00 00 00 00 |....|
[27] .  00 00 00 00 |....|
[28] .  00 00 00 00 |....|
[29] .  00 00 00 00 |....|
[2A] .  00 00 00 00 |....|
[2B] .  00 00 00 00 |....|
[2C] .  00 00 00 00 |....|
[2D] .  00 00 00 00 |....|
[2E] .  00 00 00 00 |....|
[2F] .  00 00 00 00 |....|
[30] .  00 00 00 00 |....|
[31] .  00 00 00 00 |....|
[32] .  00 00 00 00 |....|
[33] .  00 00 00 00 |....|
[34] .  00 00 00 00 |....|
[35] .  00 00 00 00 |....|
[36] .  00 00 00 00 |....|
[37] .  00 00 00 00 |....|
[38] .  00 00 00 00 |....|
[39] .  00 00 00 00 |....|
[3A] .  00 00 00 00 |....|
[3B] .  00 00 00 00 |....|
[3C] .  00 00 00 00 |....|
[3D] .  00 00 00 00 |....|
[3E] .  00 00 00 00 |....|
[3F] .  00 00 00 00 |....|
[40] .  00 00 00 00 |....|
[41] .  00 00 00 00 |....|
[42] .  00 00 00 00 |....|
[43] .  00 00 00 00 |....|
[44] .  00 00 00 00 |....|
[45] .  00 00 00 00 |....|
[46] .  00 00 00 00 |....|
[47] .  00 00 00 00 |....|
[48] .  00 00 00 00 |....|
[49] .  00 00 00 00 |....|
[4A] .  00 00 00 00 |....|
[4B] .  00 00 00 00 |....|
[4C] .  00 00 00 00 |....|
[4D] .  00 00 00 00 |....|
[4E] .  00 00 00 00 |....|
[4F] .  00 00 00 00 |....|
[50] .  00 00 00 00 |....|
[51] .  00 00 00 00 |....|
[52] .  00 00 00 00 |....|
[53] .  00 00 00 00 |....|
[54] .  00 00 00 00 |....|
[55] .  00 00 00 00 |....|
[56] .  00 00 00 00 |....|
[57] .  00 00 00 00 |....|
[58] .  00 00 00 00 |....|
[59] .  00 00 00 00 |....|
[5A] .  00 00 00 00 |....|
[5B] .  00 00 00 00 |....|
[5C] .  00 00 00 00 |....|
[5D] .  00 00 00 00 |....|
[5E] .  00 00 00 00 |....|
[5F] .  00 00 00 00 |....|
[60] .  00 00 00 00 |....|
[61] .  00 00 00 00 |....|
[62] .  00 00 00 00 |....|
[63] .  00 00 00 00 |....|
[64] .  00 00 00 00 |....|
[65] .  00 00 00 00 |....|
[66] .  00 00 00 00 |....|
[67] .  00 00 00 00 |....|
[68] .  00 00 00 00 |....|
[69] .  00 00 00 00 |....|
[6A] .  00 00 00 00 |....|
[6B] .  00 00 00 00 |....|
[6C] .  00 00 00 00 |....|
[6D] .  00 00 00 00 |....|
[6E] .  00 00 00 00 |....|
[6F] .  00 00 00 00 |....|
[70] .  00 00 00 00 |....|
[71] .  00 00 00 00 |....|
[72] .  00 00 00 00 |....|
[73] .  00 00 00 00 |....|
[74] .  00 00 00 00 |....|
[75] .  00 00 00 00 |....|
[76] .  00 00 00 00 |....|
[77] .  00 00 00 00 |....|
[78] .  00 00 00 00 |....|
[79] .  00 00 00 00 |....|
[7A] .  00 00 00 00 |....|
[7B] .  00 00 00 00 |....|
[7C] .  00 00 00 00 |....|
[7D] .  00 00 00 00 |....|
[7E] .  00 00 00 00 |....|
[7F] .  00 00 00 00 |....|
[80] .  00 00 00 00 |....|
[81] .  00 00 00 00 |....|
[82] .  00 00 00 BD (LOCK2-LOCK4, CHK)
[83] .  04 00 00 FF (CFG, MIRROR, AUTH0)
[84] .  00 05 -- -- (ACCESS)
[85] +P FF FF FF FF (PWD0-PWD3)
[86] +P 80 80 -- -- (PACK0-PACK1)

  *:locked & blocked, x:locked,
  +:blocked, .:un(b)locked, ?:unknown
  r:readable (write-protected),
  p:password protected, -:write-only
  P:password protected write-only

--------------------------------------

the only difference between this and the actual tag is the 8080 pack smile

overall - great job iceman!

Last edited by marshmellow (2015-06-22 19:12:28)

Offline

#18 2015-06-22 19:13:44

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

he he, I just added the "hf mfu eload" and was thinking on how to imp it.  Now I can take yr code wink

And yes,  its time some ppl started to merge the pull requests but that is for another thread.

*edit*
Saw yr script,  great!

however a dump file is not enough to make a good sim. We need some extra info.
This raises the question of the dump format once again.
A json-format maybe?

Last edited by iceman (2015-06-22 19:25:29)

Offline

#19 2015-06-22 19:52:01

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: HF 14A SIM - ntag simulating

A mfu eload is probably the right way to go, I was lazy and added it to the mf eload...

Yes we are missing the Sig data, the pack and counters/tearing?
Add them to the end?  Simpler the better for file formats...

Offline

#20 2015-06-22 20:12:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

Tearing is just interesting if the sim shall tell the reader something is wrong with the counter and we don't want that..

json ::
{
  uid {}   tag -size- type-
  data {nn,nn,nn,nn}
  signature{nn,nn,nn,}
  counter{1,xx; 2,xx 3,xx}
  pwd {}
  pack{}
}

xml...  well we all know have that looks like..
ascii/emul..  well..  there need to be some lines telling what it is the extra bytes in the end..

Offline

#21 2015-06-22 20:13:54

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

Maybe we start an other thread for this new dump format.. there was some discussions on the github before about it.
but then it was about mifare classic only..

Offline

#22 2015-06-27 19:30:24

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: HF 14A SIM - ntag simulating

Hey Marshmellow, does your branch also have iceman's NTAG sim? I cannot get his to compile on Linux/OSX unfortunately.

Iceman, Marshmellow, I'm going to be around all day in the IRC today if any of you are around.

Thanks for the amazing work.

Offline

#23 2015-06-27 19:32:13

iceman
Administrator
Registered: 2013-04-25
Posts: 9,538
Website

Re: HF 14A SIM - ntag simulating

if you take Marshmellows ntag_branch  it has my ntag-sim plus  his eload..

Offline

#24 2015-06-27 19:40:21

borjaburgos
Contributor
From: New York, New York
Registered: 2011-07-05
Posts: 38

Re: HF 14A SIM - ntag simulating

I see the ntag_branch now, thank iceman! I'll try that. I'll spend sometime today with the proxmark simulating an amiibo against the Nintendo Wii U / New 3DS and report results.

Offline

Board footer

Powered by FluxBB