Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I feel that a combination of your and my code should do the trick...
May be... Unfortunately, this takes a lot of time and effort. Just in case, I whipped up my own repository https://github.com/sherhannn79/proxmark3_sher (I'm new to github). All changes to speed up work are contained in the iclass.c.
Offline
I found UPDATE and CHECK[Kc] implemented in your branch. I tried to merge this. Can you please review?
Offline
https://github.com/sherhannn79/proxmark3_sher
Fix bugs
Add comment to UPDATE command
CHECK_KC is no different from CHECK. I just added it so that there were no question marks in hf list iClass.
Last edited by sherhannn79 (2019-09-25 18:29:05)
Offline
... except that Kc needs to be used to calculate the MAC response instead of Kd....
Offline
If you do your next tests then please run 'hf list iclass f' in order to see the fdt (frame delay times, the time between reader command and tag response). They should all be 4224. Possible that we need to do adjust the timing for the lengthy UPDATE code.
Offline
... except that Kc needs to be used to calculate the MAC response instead of Kd....
Perhaps you mean the READCHECK_KD and READCHECK_KC. If so, then they certainly differ.
Last edited by sherhannn79 (2019-09-26 01:49:47)
Offline
If you do your next tests then please run 'hf list iclass f' in order to see the fdt (frame delay times, the time between reader command and tag response). They should all be 4224. Possible that we need to do adjust the timing for the lengthy UPDATE code.
https://www.sendspace.com/file/3813ez
Offline
@piwi
I push my complete repository based on your branch. Made corrections to the iclass.c because it did not work properly and fix some staff. https://github.com/sherhannn79/proxmark3_sher
Offline
Travelling for the next days. Will check on weekend.
Offline
I see some changes/additions which are unrelated to authentication:
simulating multiple pages
simulating personalization
a fix to hf iclass eload (I have added a separate PR for this)
Otherwise you have moved around the MAC calculations and the cipher state is passed by reference instead of by value. None of these changes should affect the authentication. Or did I miss something? Does it work for your old reader now?
Offline
None of these changes affect authentication with a tag that has only one page. I made these changes to possibly increase the response speed, but I did not achieve the result.
For reader rev. 1, none of my builds work well. I come to the conclusion that this is probably a very non-standard reader.
The build based on the original repository with the 'GetIClassCommandFromReader', 'uart_samples' functions from the Iceman repository and my little optimizations works well on revision 2 reader. On the reader rev. 1, this assembly is authenticated with 6 attempts.
Your assembly is not authenticated with the reader of revision 2. After a little analysis, I realized that the problem is in the responce for READ4. After the proxmark responds to this command (with 8 * 4 + 2 data), the reader for some reason does not recognize the answer (although the answer looks correct in the 'hf iclass list') and breaks the session. With the reader rev.1 (which does not have the 0x26 and READ4 commands) using your assembly, I could not achieve any successful authentication (in this case, in my opinion, the reason is the speed of the responce to the CHECK).
Offline
I am not sure to which releases you are referring in your comparison and if they includes your and my latest changes.
Specifically: what works and what doesn't work with the release on your github repository?
Offline
Well, I have done last tests and will try to most clearly explain the result.
To start:
We have two releases, let's call them Release0 and Release1.
Release0 (https://github.com/sherhannn79/proxmark3_sher) is a repository
based on the piwi's repository (https://github.com/pwpiwi/proxmark3/tree/fix_iclass_sim)
with some changes in 'iclass.c', in the 'doIClassSimulation' function ,
mainly for the ability to work with the Key Credit and multypages tags.
Release1 (https://github.com/sherhannn79/proxmark3_sher_1) is a repository
based on the official proxmark3 repository (https://github.com/Proxmark/proxmark3)
which includes the following main changes:
1.1 'GetIClassCommandFromReader' works with the functions 'uart_init', 'uart_samples', 'uart_bit'
from Iceman's repository (https://github.com/iceman1001/proxmark3) which, in turn, are slightly optimized.
1.2 Slightly optimized functions 'CodeIClassTagAnswer', 'encode4Bits', 'SendIClassAnswer'.
1.3 In several functions, the ability to work with multi-pages tags has been added.
1.4 In the 'doIClassSimulation' added the ability to work with the Credit Key.
We also have three readers. Two of them are of different versions and one of them is another manufacturer.
In order of increasing production date, we will call these readers: reader0, reader1 and reader2.
Please note that reader0 is presented here for comparison only, since in practice it is not suitable for my purposes.
I also note that all of the readers listed are functional and always work correctly with the genuine HID tags.
We have three installed official software for working with the corresponding readers.
All tests were carried out as follows: in the software of the corresponding reader,
a function was selected for reading a new card, after which a proxmark3 was brought to the corresponding reader.
Proxmark3 was preconfigured as follows:
with the 'hf iclass eload' command, a dump copy of one genuine blank card was loaded
(the same dump was used in all tests).
Then, command 'hf iclass sim 3' was launched.
So:
Test0_0 (reader0 + release0): https://www.sendspace.com/file/dxecs0
Official software answered operation error.
Test0_1 (reader0 + release1): https://www.sendspace.com/file/54p3fz
Official software answered operation error.
Please note that earlier, in the first stages of changing my repositories,
I was able to correctly authenticate with this reader.
Unfortunately, I did not notice a change, after which my assemblies stopped,
in principle, interacting with this reader,
and now I do not have enough time to find a bug.
Test1_0 (reader1 + release0): https://www.sendspace.com/file/bp8pap
Official software answered operation error.
In this case, in my opinion, authentication fails,
because the response to the 'check' reader command is exceeded.
Test1_1 (reader1 + release1): https://www.sendspace.com/file/qfrded
Official software responded with the success of the operation.
I note that only one successful example is presented here,
which is obtained from about six unsuccessful ones.
Test2_0 (reader2 + release0): https://www.sendspace.com/file/9g4hpk
Official software answered operation error.
After analyzing the trace, I come to the conclusion that authentication is successful here,
however, after several responses from the proxmark to the 'read4' reader command,
the reader interrupts the session.
Test2_1 (reader2 + release1): https://www.sendspace.com/file/wdylqf
Official software responded with the success of the operation.
Last edited by sherhannn79 (2019-10-04 20:52:35)
Offline
Can you please provide (on some filesharer)
the traces (hf list) of your tests
the dump file you used for your tests
Offline
Can you please provide (on some filesharer)
the traces (hf list) of your tests
the dump file you used for your tests
mail me, please
Last edited by sherhannn79 (2019-10-04 21:41:39)
Offline
THANKS! Your simulation file finally allowed me to do some tests on my own and confirm the issues you have. It was indeed a timing problem (response on CHECK too slow). Speeding up some functions helped. Simulated card now authenticates every time to my reader. If you can verify, I will merge the changes to master.
Offline
I will try to check the other day.
I would like to clarify one point in advance. When using your release, my reader2 interrupts the session after the 'read4' command, is this also due to a timing problem, or is there another reason?
Offline
That is possible. I was fooled by the fdt times displayed with 'hf list iclass f' which showed OK and the same for all commands. But there still was a bug with the numbers, which showed the intended instead of the measured timings (this has been fixed now as well). The delay was biggest for CHECK (due to the MAC calculation) and READ4 (due to the coding of the 34 byte response).
With the latest changes all delays are the same and within the specification.
Offline
I have made tests with the latest piwi's release. There is some progress.
1. Reader0. Not successful: https://www.sendspace.com/file/it6yut
2. Reader 1. Not successful: https://www.sendspace.com/file/bc1uy8
3. Reader 2. Successfully: https://www.sendspace.com/file/utsx1e
As for reader1, in this case the reader interrupts the session not only after the check command, but also after other commands randomly. Can I somehow adjust the response time of the proxmark to the reader commands in this release?
Offline
yes, you just need to modify this line in iclass.c:
#define DELAY_ICLASS_VCD_TO_VICC_SIM 140Offline
There is now a working 'hf iclass reader' and 'hf iclass snoop' (not yet merged) on official repository. This should help to identify the differences between your readers.
Offline
Happy New Year to all of you guys!
Last edited by hayabusa (2020-06-13 17:26:59)
Offline
After a long break and "thanks" to all the known world events, I got some free time and I had a need to carry out some of the procedures described in this topic. I decided to take the last official repo for testing. I did the test with my most problematic reader (reader1). The result surprised me a little. If you recall, with this reader I was able to carry out only one successful simulation of the proxmark as a tag from six unsuccessful attempts. However, now I can do the simulation with almost no errors. In fairness, I must say that all the same, the original tag works more reliably, but this is not so important.
I want to thank @Piwi. Good job!
Last edited by sherhannn79 (2020-04-19 20:28:02)
Offline