Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I have a chameleon revG tiny which work perfectly (except that I will need to compile the firmware so it supports detection because I get this error "Firmware doesn't support DETECTION cmd -- mfkey32 key recovery is not possible") but I also have a chameleon revE.
Now this revE is giving me some trouble.
I flashed it with untagged-baf383b57e2f8177d332 from the iceman1001/ChameleonMini-rebooted fork.
I loaded both with a card dump I made with my proxmark3.
When I use MCT to read it out it works perfectly but when I try an actual reader the revE (unlike the revG) does not work.
Anyone any suggestions on what to try?
Offline
It seems to be due to some timing issues(?). When I have the revE booted up before introducing it to the reader it works but if I have the revE booted up before introducing it to the reader it DOES work.....
Offline
This is a dedicated proxmark3 forum, questions about other devices better asked in their own repo/forum/wikis/subreddits/discordservers/irc .
[moved]
Offline
@iceman I hope with your infinity experience in Mifare cards you can give us some hints.
I have same problem, ChamelionTiny by Proxgrind, emulation for Russian transport system. I can't emulate neither Mifare Ultralight, not Mifare classic. Problem with ultralight is more complicated (read is ok, write is ok - but it fail some checks), but problem with classic is very strange/simple/on common layer.
I have dumped my classic card with all keys and uploaded dump to Chameleon.
I can read it by blocks/sectors by proxmark with valid keys, I also can dump it from Chameleon with a proxmark without problems. But when I went to real reader I got a strange problem - it can't auth at all (but select is ok). Keys are correct - Chinese 'gen 3' card works great with same data and reader, so clones are accepted.
Here is the communication log, hope you can give us some hints where the problem can be:
Is is strange for me that we answer imidiatelly (+0 ms) after receiving data, is it ok?
00000 ms <+64264 ms>:BOOT (0 bytes) [ ]
00493 ms < +493 ms>:CODEC RX (1 bytes) [26 ]
00493 ms < +0 ms>:CODEC TX (2 bytes) [4400 ]
00494 ms < +1 ms>:CODEC RX (2 bytes) [9320 ]
00494 ms < +0 ms>:CODEC TX (5 bytes) [8804121987 ]
00504 ms < +10 ms>:CODEC RX (9 bytes) [9370880412198716f9 ]
00504 ms < +0 ms>:CODEC TX (3 bytes) [04da17 ]
00505 ms < +1 ms>:CODEC RX (2 bytes) [9520 ]
00505 ms < +0 ms>:CODEC TX (5 bytes) [c3cc980295 ]
00507 ms < +2 ms>:CODEC RX (9 bytes) [9570c3cc98029528c4 ]
00507 ms < +0 ms>:CODEC TX (3 bytes) [08b6dd ]
00570 ms < +63 ms>:CODEC RX (4 bytes) [6004d13d ]
00570 ms < +0 ms>:APP AUTH (2 bytes) [6004 ]
00570 ms < +0 ms>:CODEC TX (4 bytes) [2f112d05 ]
00639 ms < +69 ms>:CODEC RX (4 bytes) [500057cd ]
00639 ms < +0 ms>:APP AUTHING (4 bytes) [98063528 ]
00639 ms < +0 ms>:APP AUTH FAILED (4 bytes) [526dc608 ]
00636 ms <+65533 ms>:CODEC RX (1 bytes) [52 ]
00636 ms < +0 ms>:CODEC TX (2 bytes) [4400 ]
00742 ms < +106 ms>:CODEC RX (9 bytes) [9370880412198716f9 ]
00743 ms < +1 ms>:CODEC TX (3 bytes) [04da17 ]
00848 ms < +105 ms>:CODEC RX (9 bytes) [9570c3cc98029528c4 ]
00848 ms < +0 ms>:CODEC TX (3 bytes) [08b6dd ]
00853 ms < +5 ms>:CODEC RX (4 bytes) [6010746b ]
00853 ms < +0 ms>:APP AUTH (2 bytes) [6010 ]
00853 ms < +0 ms>:CODEC TX (4 bytes) [5f30d1c8 ]
00958 ms < +105 ms>:CODEC RX (4 bytes) [500057cd ]
00958 ms < +0 ms>:APP AUTHING (4 bytes) [f802de68 ]
00958 ms < +0 ms>:APP AUTH FAILED (4 bytes) [07ef5e7e ]
01019 ms < +61 ms>:CODEC RX (1 bytes) [52 ]
01019 ms < +0 ms>:CODEC TX (2 bytes) [4400 ]
01124 ms < +105 ms>:CODEC RX (9 bytes) [9370880412198716f9 ]
01124 ms < +0 ms>:CODEC TX (3 bytes) [04da17 ]
01183 ms < +59 ms>:CODEC RX (9 bytes) [9570c3cc98029528c4 ]
01183 ms < +0 ms>:CODEC TX (3 bytes) [08b6dd ]
01262 ms < +79 ms>:CODEC RX (4 bytes) [601c18a1 ]
01262 ms < +0 ms>:APP AUTH (2 bytes) [601c ]
01263 ms < +1 ms>:CODEC TX (4 bytes) [2acae548 ]
01273 ms < +10 ms>:CODEC RX (4 bytes) [500057cd ]
01273 ms < +0 ms>:APP AUTHING (4 bytes) [89509d6a ]
01273 ms < +0 ms>:APP AUTH FAILED (4 bytes) [aba241f3 ]
01398 ms < +125 ms>:CODEC RX (1 bytes) [52 ]
01398 ms < +0 ms>:CODEC TX (2 bytes) [4400 ]
01402 ms < +4 ms>:CODEC RX (9 bytes) [9370880412198716f9 ]
01402 ms < +0 ms>:CODEC TX (3 bytes) [04da17 ]
01534 ms < +132 ms>:CODEC RX (9 bytes) [9570c3cc98029528c4 ]
01534 ms < +0 ms>:CODEC TX (3 bytes) [08b6dd ]
01590 ms < +56 ms>:CODEC RX (4 bytes) [6020f75a ]
01590 ms < +0 ms>:APP AUTH (2 bytes) [6020 ]
01591 ms < +1 ms>:CODEC TX (4 bytes) [d5f3d9e4 ]
01712 ms < +121 ms>:CODEC RX (4 bytes) [500057cd ]
01712 ms < +0 ms>:APP AUTHING (4 bytes) [8902d428 ]
01712 ms < +0 ms>:APP AUTH FAILED (4 bytes) [cbea763a ]
01802 ms < +90 ms>:CODEC RX (1 bytes) [52 ]
01802 ms < +0 ms>:CODEC TX (2 bytes) [4400 ]
Here is proxmark comparison of read between card (first) and chameleon emulation (second):
Original card:
[usb] pm3 --> hf mf rdbl 0 a a0a1a2a3a4a5
--block no:0, key type:A, key:A0 A1 A2 A3 A4 A5
data: 04 67 2E FA 36 4B 80 08 44 00 12 01 11 00 04 16
[usb] pm3 --> hf list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 244 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2116 | 4484 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10564 | 16388 | Tag |88 04 67 2e c5 | |
18816 | 29344 | Rdr |93 70 88 04 67 2e c5 cf da | ok | SELECT_UID
30404 | 33924 | Tag |04 da 17 | |
35200 | 37664 | Rdr |95 20 | | ANTICOLL-2
38724 | 44612 | Tag |fa 36 4b 80 07 | |
46976 | 57440 | Rdr |95 70 fa 36 4b 80 07 94 82 | ok | SELECT_UID-2
58564 | 62084 | Tag |08 b6 dd | |
64128 | 68832 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
73284 | 78020 | Tag |85 4e c7 d9 | |
87296 | 96608 | Rdr |f9 ee! d1 83 13! d0! f7! 69 | !crc|
97732 | 102404 | Tag |ef! 47! 15 f7! | |
108288 | 113056 | Rdr |d0 a9! 2d 05! | !crc|
115268 | 136068 | Tag |bc! 3a 3f 30 f4 f8! 0c ed! da! 3c! 23! f3 ea 05 72! b0! d5 88 | !crc|
149248 | 154016 | Rdr |8f 63! a4! 62 | !crc|
Emulation:
[usb] pm3 --> hf mf rdbl 0 a a0a1a2a3a4a5
--block no:0, key type:A, key:A0 A1 A2 A3 A4 A5
data: 04 67 2E FA 36 4B 80 08 44 00 12 01 11 00 04 16
[usb] pm3 --> hf list
[=] downloading tracelog from device
[+] Recorded activity (trace len = 244 bytes)
[=] Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
[=] ISO14443A - All times are in carrier periods (1/13.56MHz)
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 992 | Rdr |52 | | WUPA
2116 | 4484 | Tag |44 00 | |
7040 | 9504 | Rdr |93 20 | | ANTICOLL
10564 | 16388 | Tag |88 04 67 2e c5 | |
18816 | 29344 | Rdr |93 70 88 04 67 2e c5 cf da | ok | SELECT_UID
30404 | 33924 | Tag |04 da 17 | |
35200 | 37664 | Rdr |95 20 | | ANTICOLL-2
38724 | 44612 | Tag |fa 36 4b 80 07 | |
46976 | 57440 | Rdr |95 70 fa 36 4b 80 07 94 82 | ok | SELECT_UID-2
58564 | 62084 | Tag |08 b6 dd | |
64128 | 68832 | Rdr |60 00 f5 7b | ok | AUTH-A(0)
78404 | 83076 | Tag |b9 b5 ba f0 | |
92416 | 101792 | Rdr |8a 73! 21! a6! e1 30! 32! 63! | !crc|
107204 | 111940 | Tag |10! d0! 0d! ce | |
117760 | 122464 | Rdr |88! dd! 4b! 18 | !crc|
132036 | 152900 | Tag |dd! 59 95 ea 2d! e2 50 f3 f1 77 8a 78! d9 91! bc c6 3b! 97 | !crc|
166016 | 170720 | Rdr |0a 78! c2! c8! | !crc|
overall difference is 16704 clocks. Is it critical or problem in crypto1 implementation?
Last edited by Monster1024 (2020-06-26 13:42:04)
Offline
I figured it out! It is timing/timeout problem. We always get 5000 message from reader while we are trying to calculate Nonce + NonceResponse + ReaderResponse. Just moved all calculations to AuthState and it worked for me.
Last edited by Monster1024 (2020-06-27 18:15:23)
Offline
Make a PR in the chameleon repo ?
Offline
> Make a PR in the chameleon repo ?
Yep - will do it after some more real in -field tests to confirm that it is stable in my case (I have tried real reader only once for now)
Still not figured ultralight problem - validator is reading a card, writing new data on card and all ok by logs - and gives me an error.
Will try analyze it more
Last edited by Monster1024 (2020-06-27 19:32:42)
Offline
Double checked today with Russian subway validator and turnstile - it worked fine for read and write. I still have one timeout with a log saving functionality, but now it works and reads fine.
Here is my PR, but I can't test in real chameleon, because on vanilla proxgrind branch I have always "auth failed" at proxmark - I have used clean emsec version of MifareClassic.c file in my branch.
https://github.com/RfidResearchGroup/ChameleonMini/pull/26
Offline