rfidresearchgroup / proxmark3 Goto Github PK
View Code? Open in Web Editor NEWIceman Fork - Proxmark3
Home Page: http://www.icedev.se
License: GNU General Public License v3.0
Iceman Fork - Proxmark3
Home Page: http://www.icedev.se
License: GNU General Public License v3.0
@merlokk ...yours :)
Describe the bug
compiler warning GCC7.3.0
To Reproduce
Expected behavior
no compiler warnings
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
When writing an EM ID to a t55 the command "lf t55 detect" no longer detects the modulation automatically
Command output below:
pm3 --> lf sear
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 1122334455 (41514) - Format Len: 37bit - FC: 4643 - Card: 107050
[+] Valid HID Prox ID Found!
pm3 --> lf t5 det
Chip Type : T55x7
Modulation : FSK2a
Bit Rate : 4 - RF/50
Inverted : Yes
Offset : 31
Seq. Term. : No
Block0 : 0x00107060
pm3 --> lf em 410x_write 0F0368568B 1
Writing T55x7 tag with UID 0x0f0368568b (clock rate: 64)
pm3 --> #db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xff83c03322a646e4
pm3 --> lf sear
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found
EM TAG ID : 0F0368568B
Possible de-scramble patterns
Unique TAG ID : F0C0166AD1
HoneyWell IdentKey {
DEZ 8 : 06837899
DEZ 10 : 0057169547
DEZ 5.5 : 00872.22155
DEZ 3.5A : 015.22155
DEZ 3.5B : 003.22155
DEZ 3.5C : 104.22155
DEZ 14/IK2 : 00064481678987
DEZ 15/IK3 : 001034014845649
DEZ 20/ZK : 15001200010606101301
}
Other : 22155_104_06837899
Pattern Paxton : 259822731 [0xF7C948B]
Pattern 1 : 9750181 [0x94C6A5]
Pattern Sebury : 22155 104 6837899 [0x568B 0x68 0x68568B]
[+] Valid EM410x ID Found!
pm3 --> lf t5 det
[!] Could not detect modulation automatically. Try setting it manually with 'lf t55xx config'
pm3 -->
Latest pull, clean build, RDV3 hardware.
Is your feature request related to a problem? Please describe.
Running a simple dump/restore function for complete iclass legacy tags. Today it consists of running several commands and knowing what to do.
Describe the solution you'd like
creating a new lua script for easy autopwn functionality of iClass.
Additional context
think same style as mifare_autopwn, hard_autopwn scripts
Describe the bug
The perl command wich convert CRLF is not working properly with proxspace
Loads of file are "convert" and backup.
To Reproduce
Run a make style or run command on proxspace env.
Expected behavior
A clear and concise description of what you expected to happen.
Desktop (please complete the following information):
I propose to use something like this to force LF:
File: .gitattributes
# Force LF
*.c text=auto eol=lf
*.h text=auto eol=lf
Since this repo wasn't created via the "fork" button on the iceman1001 (or even the proxmark/proxmark3 repo) you can't easily create a PR for the upstream or iceman1001 repo and this repo with just a click. It's a minor thing, but it means that the first time someone wants to contribute a patch to iceman1001 and this repo that they need to fork both repos and create a PR in both of their forks.
Since the commit hashes will be the same you should be able to delete this repo, fork iceman1001 here again, and then git push -f
the correct state back in with nobody being the wiser.
Describe the bug
Since the name template change of filenames when saving dump files etc, the template starts with h , as in "hf-mf-UID.bin" or similar. All older commands still not adapted, they assume if first char is 'h' its a request for helptext.
To Reproduce
Steps to reproduce the behavior:
the help text is shown..
Expected behavior
Expected behavior is to load the file
Additional context
All older commands should have a param 'f' as for indicating a filename entry.
this is a breaking change from old style command which uses without a param but only filename.
Also all commands should be able to load eml/bin without having to choose. in fileutils.c should have support for auto-detect and load of those two kinds of formats. In the future I see also support for reading json,
Describe the bug
running make style will generate lots of rows "no such file or directory".
To Reproduce
Expected behavior
No repeating lines
Screenshots
find . \( -name "*.[ch]" -or -name "*.cpp" \) -exec astyle --formatted --mode=c --suffix=none \
--indent=spaces=4 --indent-switches --indent-preprocessor \
--keep-one-line-blocks --max-instatement-indent=60 \
--style=google --pad-oper --unpad-paren --pad-header \
--align-pointer=name {} \;
find: astyle: No such file or directory
find: astyle: No such file or directory
find: astyle: No such file or directory
find: astyle: No such file or directory
Desktop (please complete the following information):
Additional context
Describe the bug
Get #db#messages at first start of client:
[=] UART Setting serial baudrate 460800
#db# unknown command:: 0xd32d410d
If I exit client next time this message doesn't appear
To Reproduce
Expected behavior
#db# unknown command will not be shown.
Desktop (please complete the following information):
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/259dbadb 2018-12-04 13:30:56
os: iceman/master/259dbadb 2018-12-04 13:30:58
[ FPGA ]
LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 241920 bytes (46%) Free: 282368 bytes (54%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............0
#db# Currently loaded FPGA image
#db# mode.................... HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
#db# Flash memory
#db# Baudrate................24MHz
#db# Init....................OK
#db# Memory size.............2 mbits / 256kb
#db# Unique ID...............0xd567a882a70f7f26
#db# Smart card module (ISO 7816)
#db# version.................v2.06
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# LF T55XX config
#db# [a] startgap............29*8 (232)
#db# [b] writegap............17*8 (136)
#db# [c] write_0.............15*8 (120)
#db# [d] write_1.............47*8 (376)
#db# [e] readgap.............15*8 (120)
#db# USB Speed
#db# Sending USB packets to client...
#db# Time elapsed............1500ms
#db# Bytes transferred.......809984
#db# USB Transfer Speed PM3 -> Client = 539989 Bytes/s
#db# Various
#db# MF_DBGLEVEL.............1
#db# ToSendMax...............-1
#db# ToSendBit...............0
#db# ToSend BUFFERSIZE.......2308
#db# Installed StandAlone Mode
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar)
pm3 --> data tune
[=] measuring antenna characteristics, please wait...
....
[+] LF antenna: 72,94 V - 125.00 kHz
[+] LF antenna: 39,23 V - 134.00 kHz
[+] LF optimal: 72,94 V - 125,00 kHz
[+] LF antenna is OK
[+] HF antenna: 48,15 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
Additional context
n/a
After last changes with resolving memory leaks I'm unable to preform fully hardnested attack - using modified version of iceman old hardnested script :)
When script runs key checking sometimes there is a nasty suprise:
> [+] Using AVX SIMD core.
>
>
>
> time | #nonces | Activity | expected to brute force
> | | | #states | time
> ------------------------------------------------------------------------------------------------------
> 0 | 0 | Start using 4 threads and AVX SIMD core | |
> 0 | 0 | Brute force benchmark: 262 million (2^28,0) keys/s | 140737488355328 | 6d
> 1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 6d
> #db# AcquireNonces: Auth1 error
> 5 | 112 | Apply bit flip properties | 10142311514112 | 11h
> 6 | 224 | Apply bit flip properties | 8605346562048 | 9h
> 7 | 335 | Apply bit flip properties | 8444816916480 | 9h
> 9 | 445 | Apply bit flip properties | 8386506129408 | 9h
> 10 | 555 | Apply bit flip properties | 8378623459328 | 9h
> 11 | 666 | Apply bit flip properties | 8378623459328 | 9h
> 11 | 777 | Apply bit flip properties | 8378623459328 | 9h
> 12 | 887 | Apply bit flip properties | 8378623459328 | 9h
> 13 | 997 | Apply bit flip properties | 8378623459328 | 9h
> 13 | 1108 | Apply bit flip properties | 8378623459328 | 9h
> 14 | 1216 | Apply bit flip properties | 8378623459328 | 9h
> 15 | 1326 | Apply bit flip properties | 8378623459328 | 9h
> 17 | 1437 | Apply Sum property. Sum(a0) = 0 | 680740257792 | 43min
> 17 | 1545 | Apply bit flip properties | 299168268288 | 19min
> 18 | 1655 | Apply bit flip properties | 299165908992 | 19min
> 19 | 1764 | Apply bit flip properties | 299168268288 | 19min
> 20 | 1875 | Apply bit flip properties | 299168268288 | 19min
> 21 | 1982 | Apply bit flip properties | 299168268288 | 19min
> 22 | 2090 | Apply bit flip properties | 299168268288 | 19min
> 22 | 2090 | (1. guess: Sum(a8) = 0) | 299168268288 | 19min
> 24 | 2090 | Apply Sum(a8) and all bytes bitflip properties | 256709115904 | 16min
> 26 | 2090 | (2. guess: Sum(a8) = 64) | 978981879808 | 62min
> 31 | 2090 | Apply Sum(a8) and all bytes bitflip properties | 917501706240 | 58min
> 38 | 2090 | Brute force phase: 11,99% | 917216165888 | 58min
> 43 | 2090 | Brute force phase completed. Key found: <censored> | 0 | 0s
> ### check_found_keys
> #db# ChkKeys: Can't select card (ALL)
> ### target key B - Sector 1 block: 4 [0x04]
> [+] Using AVX SIMD core.
>
>
>
> time | #nonces | Activity | expected to brute force
> | | | #states | time
> ------------------------------------------------------------------------------------------------------
> 0 | 0 | Start using 4 threads and AVX SIMD core | |
> 0 | 0 | Brute force benchmark: 262 million (2^28,0) keys/s | 140737488355328 | 6d
> 1 | 0 | Using 235 precalculated bitflip state tables | 140737488355328 | 6d
> 5 | 112 | Apply bit flip properties | 102006292480 | 6min
> 6 | 223 | Apply bit flip properties | 26656464896 | 2min
> 7 | 334 | Apply bit flip properties | 26204344320 | 2min
> 8 | 444 | Apply bit flip properties | 23270062080 | 89s
> 9 | 555 | Apply bit flip properties | 23270062080 | 89s
> 10 | 664 | Apply bit flip properties | 23155558400 | 88s
> 11 | 775 | Apply bit flip properties | 21135179776 | 81s
> 12 | 886 | Apply bit flip properties | 21135179776 | 81s
> 13 | 997 | Apply bit flip properties | 21135179776 | 81s
> 13 | 1104 | Apply bit flip properties | 21135179776 | 81s
> #db# AcquireNonces: Auth1 error
> 14 | 1212 | Apply bit flip properties | 21135179776 | 81s
> 15 | 1322 | Apply bit flip properties | 21135179776 | 81s
> 16 | 1433 | Apply bit flip properties | 21135179776 | 81s
> 18 | 1544 | Apply Sum property. Sum(a0) = 128 | 2343664640 | 9s
> 19 | 1653 | Apply bit flip properties | 1892741888 | 7s
> 20 | 1762 | Apply bit flip properties | 1892741888 | 7s
> #db# AcquireNonces: Auth1 error
> 20 | 1868 | Apply bit flip properties | 1892741888 | 7s
> 21 | 1868 | (Ignoring Sum(a8) properties) | 1892741888 | 7s
> 27 | 1868 | Brute force phase completed. Key found: <censored> | 0 | 0s
> double free or corruption (out)
> Segmentation fault (core dumped)
I guess its because my shitty card is having some truble with keys checking at sector 4, key B with faster uart path, and memory is freed even if there is timeout
This message "normally" shows, when check_keys function is unable to determine newly found key:
### check_found_keys
UART:: write time-out
[!] sending bytes to proxmark failed
Meanwhile i checkouted to 956899b839e3a3ec35b1f5167ec1d1bde9cb4c5c
and its working perfectly :)
Describe the bug
the signal generated the current dual antenna for FSK signal is very strong, a.k.a clipped.
This makes the FSK modulation to fail if tag is direct on antenna. If you have some distance between tag / antenna the FSK modulation works.
To Reproduce
use a t5577 card direct on lf antenna.
Expected behavior
the demodulation of FSK should work for both strong vs weak signals.
Desktop (please complete the following information):
I have the Proxmark 3 RDV4 and tried simulation of a legic prime card.
I used the steps
From older forum posts and issues I saw "timing errors" mentioned, but I thought with #25 this has been fixed.
Can I somehow help with the debugging/development of this feature? I have experience with programming and electronics as well as some tools like oscilloscope.
I do not know where to start or what to check because I'm not familiar with the project yet. Maybe someone has an idea?
lfops.c: In function 'setT55xxConfig':
lfops.c:83:5: error: this 'if' clause does not guard... [-Werror=misleading-indentation]
if (!FlashInit())
^~
lfops.c:86:2: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'if'
Flash_CheckBusy(BUSY_TIMEOUT);
^~~~~~~~~~~~~~~
lfops.c: In function 'loadT55xxConfig':
lfops.c:103:5: error: this 'if' clause does not guard... [-Werror=misleading-indentation]
if (!FlashInit())
^~
lfops.c:106:2: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'if'
Flash_CheckBusy(BUSY_TIMEOUT);
^~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [obj/lfops.o] Error 1
make: *** [armsrc/all] Error 2
When I try to do a hardnested attack, I get:
Apply bit flip properties | nan | nand
I am not sure if it has something to to with the os, but I am using OSX. The nan|nand, goes on forever.
The iceman repo does not have this problem.
I didn't have to to dive into this yet. But I thought it might be good to share the issue.
Is your feature request related to a problem? Please describe.
As of now only parts of the commands has implemented BIN/JSON formats.
Describe the solution you'd like
All commands that involves files, should support BIN/JSON formats.
Describe alternatives you've considered
as an alternative, lua scripts can be made. No more python scripts.
Additional context
All formats we support helps when other tools needs to import/export from a proxmark generated file.
Today we have Chameleon Mini GUI, MCT tool interoperability, and hopefully also Project Walrus in the near future.
I followed the MacOS instructions, and they did not work.
$ brew tap RfidResearchGroup/proxmark3
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/core).
==> Updated Formulae
openssl ✔ azure-cli beast cquery geoipupdate influxdb lxc protobuf-c wtf
==> Tapping rfidresearchgroup/proxmark3
Cloning into '/usr/local/Homebrew/Library/Taps/rfidresearchgroup/homebrew-proxmark3'...
remote: Counting objects: 5, done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 5 (delta 0), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (5/5), done.
Tapped 1 formula (30 files, 28KB).
$ brew install proxmark3
Error: rfidresearchgroup/proxmark3/proxmark3 is a head-only formula
Install with `brew install --HEAD rfidresearchgroup/proxmark3/proxmark3`
$ brew install --HEAD proxmark3
==> Installing proxmark3 from rfidresearchgroup/proxmark3
Error: No available formula with the name "rfidresearchgroup/proxmark3/arm-none-eabi-gcc" (dependency of rfidresearchgroup/proxmark3/proxmark3)
==> Searching for a previously deleted formula (in the last month)...
Error: No previously deleted formula found.
==> Searching for similarly named formulae...
Error: No similarly named formulae found.
I'm not sure what to do here.
@merlokk has been requesting / wanting to emulate a contactless smart card , but with RDV4 the question raised if we can emulate a contact smart card over the sim card module.
While installing to Mac, it throws this error based on the commit added 20 minutes ago.
gcc -MT obj/cmdhflegic.o -MMD -MP -MF obj/cmdhflegic.Td -std=c99 -D_ISOC99_SOURCE -DPRESETS -I. -I../include -I../common -I../common/polarssl -I../zlib -I../uart -I/opt/local/include -I../liblua -Wall -g -O3 -DHAVE_GUI -DWITH_FLASH -DWITH_SMARTCARD -DWITH_FPC -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED -c -o obj/cmdhflegic.o cmdhflegic.c
cmdhflegic.c:506:25: error: expected expression
if ( strlen(Cmd) = 0 | |cmdp == 'h' ) return usage_legic_sim();
^
1 error generated.
make[1]: *** [obj/cmdhflegic.o] Error 1
make: *** [client/all] Error 2
Hi,
I start to work on hf mf sim to :
This part is almost finish.
As @icemann said to me, maybe I will need to modify some files after philippe teuwen @doegox cleanning (thank for this !, I had a big mess with CRLF/LF files in the repo before)
Now, I'm working on Mifare mini, 1k and 4k simulation, as the current Mifare1ksim function only support 1k card.
Work in progress:
I will start to do a PR quite soon (I hope) :)
Hi
Here are strange initializers. mbedtls dont have this field.
i have no idea why it need to be.
des3_context ctx = { DES_DECRYPT ,{ 0 } };
https://github.com/RfidResearchGroup/proxmark3/blob/master/client/loclass/elite_crack.c#L175
https://github.com/RfidResearchGroup/proxmark3/blob/master/client/cmdhficlass.c#L769
can we test this parts of code if i get rid of polarssl?
P.S. i will put changes in next PR after #48
Describe the bug
EM Marine card read is broken after last commits.
Without card attached:
pm3 --> lf em 410x_read
LF Signal properties:
high..........15
low...........-7
mean..........2
amplitude.....13
is Noise......No
THRESHOLD noice amplitude......10
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 8192
getHiLo fuzzed: High 37 | Low 20
getHiLo fuzzed: High 43 | Low 26
getHiLo fuzzed: High 43 | Low 26
DEBUG: (askdemod_ext) CLEAN: startIdx 0, alignPos 0
[#] DEBUG: (ASKDemod_ext) No data found errors:-1, invert:0, bitlen:0, clock:8
With card attached:
pm3 --> lf em 410x_read
LF Signal properties:
high..........125
low...........-128
mean..........-5
amplitude.....130
is Noise......No
THRESHOLD noice amplitude......10
[#] DEBUG: (setClockGrid) demodoffset 0, clk 0
[#] DEBUG: (ASKDemod_ext) Bitlen from grphbuff: 8192
getHiLo fuzzed: High 125 | Low -76
getHiLo fuzzed: High 125 | Low -64
getHiLo fuzzed: High 125 | Low -64
DEBUG: (askdemod_ext) CLEAN: startIdx 0, alignPos 0
[#] DEBUG: (ASKDemod_ext) No data found errors:-1, invert:0, bitlen:0, clock:32
pm3 --> hw version
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/ 2018-09-05 14:29:59
os: iceman/master/ 2018-09-06 10:17:49
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 8/10 at 11:48:34
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 242267 bytes (46) Free: 282021 bytes (54)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hw status
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............0
#db# Currently loaded FPGA image
#db# mode.................... LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
#db# Flash memory
#db# init....................OK
#db# Memory size.............2 mbits / 256kb
#db# Unique ID...............0xd567a882a7bb8e25
#db# Smart card module (ISO 7816)
#db# version.................v2.06
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# USB Speed
#db# Sending USB packets to client...
#db# Time elapsed............1500ms
#db# Bytes transferred.......780800
#db# USB Transfer Speed PM3 -> Client = 520533 Bytes/s
#db# Various
#db# MF_DBGLEVEL.............1
#db# ToSendMax...............-1
#db# ToSendBit...............0
#db# ToSend BUFFERSIZE.......2308
#db# Installed StandAlone Mods
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar)
pm3 --> data tune
[=] measuring antenna characteristics, please wait...
...
[+] LF antenna: 57.64 V - 125.00 kHz
[+] LF antenna: 42.77 V - 134.00 kHz
[+] LF optimal: 61.47 V - 127.66 kHz
[+] LF antenna is OK
[+] HF antenna: 48.01 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
always show "Trigger kicked!" when using "hf snoop". i try to snoop a key from m1 card and reader by using pm3. when i type hf snoop command then put pm3 near the reader i will receive "Trigger kicked!" immediately. And i got no valuable data by look the hex using "hf list". it do not need a RFID card, just put pm3 near a reader and you will see this .
card reader tried: android8.1 phone with NFC, PN532, a reader in an elevator
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/75d0b0b0 2019-01-01 20:27:24
os: iceman/master/75d0b0b0 2019-01-01 20:28:17
[ FPGA ]
LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 240818 bytes (46%) Free: 283470 bytes (54%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hw status
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................1
#db# traceLen ...............40000
#db# Currently loaded FPGA image
#db# mode.................... HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
#db# Flash memory
#db# Baudrate................24MHz
#db# Init....................OK
#db# Memory size.............2 mbits / 256kb
#db# Unique ID...............0xd567a882a76ec526
#db# Smart card module (ISO 7816)
#db# version.................v2.06
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# LF T55XX config
#db# [a] startgap............298 (232)
#db# [b] writegap............178 (136)
#db# [c] write_0.............158 (120)
#db# [d] write_1.............478 (376)
#db# [e] readgap.............15*8 (120)
#db# USB Speed
#db# Sending USB packets to client...
#db# Time elapsed............1500ms
#db# Bytes transferred.......740352
#db# USB Transfer Speed PM3 -> Client = 493568 Bytes/s
#db# Various
#db# MF_DBGLEVEL.............1
#db# ToSendMax...............-1
#db# ToSendBit...............0
#db# ToSend BUFFERSIZE.......2308
#db# Installed StandAlone Mode
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar)
pm3 --> data tune
[=] measuring antenna characteristics, please wait...
....
[!] LF antenna is UNUSABLE
[+] HF antenna: 36.18 V - 13.56 MHz
[+] HF antenna is OK
[-] Not showing LF tuning graph since all values is zero.`
Only happening with this firmware. original and iceman are ok. See below:
pm3 --> hw tune
[=] measuring antenna characteristics, please wait...
....
[+] LF antenna: 67.13 V - 125.00 kHz
[+] LF antenna: 41.50 V - 134.00 kHz
[+] LF optimal: 69.11 V - 126.32 kHz
[+] LF antenna is OK
[+] HF antenna: 47.02 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
No GUI in this build!
pm3 --> lf sear
#db# transfer to client failed :: | bytes between 0 - 512 (512)
#db# transfer to client failed :: | bytes between 512 - 1024 (512)
#db# transfer to client failed :: | bytes between 1024 - 1536 (512)
#db# transfer to client failed :: | bytes between 1536 - 2048 (512)
#db# transfer to client failed :: | bytes between 2048 - 2560 (512)
#db# transfer to client failed :: | bytes between 2560 - 3072 (512)
#db# transfer to client failed :: | bytes between 3072 - 3584 (512)
#db# transfer to client failed :: | bytes between 3584 - 4096 (512)
#db# transfer to client failed :: | bytes between 4096 - 4608 (512)
#db# transfer to client failed :: | bytes between 4608 - 5120 (512)
#db# transfer to client failed :: | bytes between 5120 - 5632 (512)
#db# transfer to client failed :: | bytes between 5632 - 6144 (512)
#db# transfer to client failed :: | bytes between 6144 - 6656 (512)
#db# transfer to client failed :: | bytes between 6656 - 7168 (512)
#db# transfer to client failed :: | bytes between 7168 - 7680 (512)
#db# transfer to client failed :: | bytes between 7680 - 8192 (512)
#db# transfer to client failed :: | bytes between 8192 - 8704 (512)
#db# transfer to client failed :: | bytes between 8704 - 9216 (512)
#db# transfer to client failed :: | bytes between 9216 - 9728 (512)
#db# transfer to client failed :: | bytes between 9728 - 10240 (512)
#db# transfer to client failed :: | bytes between 10240 - 10752 (512)
#db# transfer to client failed :: | bytes between 10752 - 11264 (512)
#db# transfer to client failed :: | bytes between 11264 - 11776 (512)
#db# transfer to client failed :: | bytes between 11776 - 12288 (512)
#db# transfer to client failed :: | bytes between 12288 - 12800 (512)
#db# transfer to client failed :: | bytes between 12800 - 13312 (512)
#db# transfer to client failed :: | bytes between 13312 - 13824 (512)
#db# transfer to client failed :: | bytes between 13824 - 14336 (512)
#db# transfer to client failed :: | bytes between 14336 - 14848 (512)
#db# transfer to client failed :: | bytes between 14848 - 15360 (512)
#db# transfer to client failed :: | bytes between 15360 - 15872 (512)
#db# transfer to client failed :: | bytes between 15872 - 16384 (512)
#db# transfer to client failed :: | bytes between 16384 - 16896 (512)
#db# transfer to client failed :: | bytes between 16896 - 17408 (512)
#db# transfer to client failed :: | bytes between 17408 - 17920 (512)
#db# transfer to client failed :: | bytes between 17920 - 18432 (512)
#db# transfer to client failed :: | bytes between 18432 - 18944 (512)
#db# transfer to client failed :: | bytes between 18944 - 19456 (512)
#db# transfer to client failed :: | bytes between 19456 - 19968 (512)
#db# transfer to client failed :: | bytes between 19968 - 20480 (512)
#db# transfer to client failed :: | bytes between 20480 - 20992 (512)
#db# transfer to client failed :: | bytes between 20992 - 21504 (512)
#db# transfer to client failed :: | bytes between 21504 - 22016 (512)
#db# transfer to client failed :: | bytes between 22016 - 22528 (512)
#db# transfer to client failed :: | bytes between 22528 - 23040 (512)
#db# transfer to client failed :: | bytes between 23040 - 23552 (512)
#db# transfer to client failed :: | bytes between 23552 - 24064 (512)
#db# transfer to client failed :: | bytes between 24064 - 24576 (512)
#db# transfer to client failed :: | bytes between 24576 - 25088 (512)
#db# transfer to client failed :: | bytes between 25088 - 25600 (512)
#db# transfer to client failed :: | bytes between 25600 - 26112 (512)
#db# transfer to client failed :: | bytes between 26112 - 26624 (512)
#db# transfer to client failed :: | bytes between 26624 - 27136 (512)
#db# transfer to client failed :: | bytes between 27136 - 27648 (512)
#db# transfer to client failed :: | bytes between 27648 - 28160 (512)
#db# transfer to client failed :: | bytes between 28160 - 28672 (512)
#db# transfer to client failed :: | bytes between 28672 - 29184 (512)
#db# transfer to client failed :: | bytes between 29184 - 29696 (512)
#db# transfer to client failed :: | bytes between 29696 - 30000 (304)
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 20041400cd (102) - Format Len: 26bit - FC: 10 - Card: 102
[+] Valid HID Prox ID Found!
#db# transfer to client failed :: | bytes between 0 - 512 (512)
#db# transfer to client failed :: | bytes between 512 - 1024 (512)
#db# transfer to client failed :: | bytes between 1024 - 1536 (512)
#db# transfer to client failed :: | bytes between 1536 - 2048 (512)
#db# transfer to client failed :: | bytes between 2048 - 2560 (512)
#db# transfer to client failed :: | bytes between 2560 - 3072 (512)
#db# transfer to client failed :: | bytes between 3072 - 3584 (512)
#db# transfer to client failed :: | bytes between 3584 - 4096 (512)
#db# transfer to client failed :: | bytes between 4096 - 4608 (512)
#db# transfer to client failed :: | bytes between 4608 - 5120 (512)
#db# transfer to client failed :: | bytes between 5120 - 5632 (512)
#db# transfer to client failed :: | bytes between 5632 - 6000 (368)
#db# transfer to client failed :: | bytes between 0 - 512 (512)
#db# transfer to client failed :: | bytes between 512 - 1024 (512)
#db# transfer to client failed :: | bytes between 1024 - 1536 (512)
#db# transfer to client failed :: | bytes between 1536 - 2048 (512)
#db# transfer to client failed :: | bytes between 2048 - 2560 (512)
#db# transfer to client failed :: | bytes between 2560 - 3072 (512)
#db# transfer to client failed :: | bytes between 3072 - 3584 (512)
#db# transfer to client failed :: | bytes between 3584 - 4096 (512)
#db# transfer to client failed :: | bytes between 4096 - 4608 (512)
#db# transfer to client failed :: | bytes between 4608 - 5120 (512)
#db# transfer to client failed :: | bytes between 5120 - 5632 (512)
#db# transfer to client failed :: | bytes between 5632 - 6144 (512)
#db# transfer to client failed :: | bytes between 6144 - 6656 (512)
#db# transfer to client failed :: | bytes between 6656 - 7168 (512)
#db# transfer to client failed :: | bytes between 7168 - 7679 (511)
pm3 -->
pm3 --> lf t5 det
#db# transfer to client failed :: | bytes between 0 - 512 (512)
#db# transfer to client failed :: | bytes between 512 - 1024 (512)
#db# transfer to client failed :: | bytes between 1024 - 1536 (512)
#db# transfer to client failed :: | bytes between 1536 - 2048 (512)
#db# transfer to client failed :: | bytes between 2048 - 2560 (512)
#db# transfer to client failed :: | bytes between 2560 - 3072 (512)
#db# transfer to client failed :: | bytes between 3072 - 3584 (512)
#db# transfer to client failed :: | bytes between 3584 - 4096 (512)
#db# transfer to client failed :: | bytes between 4096 - 4608 (512)
#db# transfer to client failed :: | bytes between 4608 - 5120 (512)
#db# transfer to client failed :: | bytes between 5120 - 5632 (512)
#db# transfer to client failed :: | bytes between 5632 - 6144 (512)
#db# transfer to client failed :: | bytes between 6144 - 6656 (512)
#db# transfer to client failed :: | bytes between 6656 - 7168 (512)
#db# transfer to client failed :: | bytes between 7168 - 7679 (511)
Chip Type : T55x7
Modulation : FSK2a
Bit Rate : 4 - RF/50
Inverted : Yes
Offset : 32
Seq. Term. : No
Block0 : 0x00107060
pm3 -->
Request new standalone mode to sniff and save the record on flash if possible to later download it on PC. Really useful in real field application.
The only thing i found is -> https://github.com/bogiton/proxmark3/commits?author=bogiton
From: iceman1001/proxmark3#247
Sometime it is useful to be able to unhang the i2c. Normally would be unplug pm3 but that is a too blunt method to use.
Link to suggested code that deals with a hung i2c.
https://github.com/merlokk/SmartHome/blob/master/ESP8266CO2PM25/ESP8266CO2PM25.ino#L75
@cjbrigato any takers on this?
Valid key is definitely in the dictionary but the command doesn't seem to work anymore as seen from the below output:
pm3 --> hf iclass chk f client/default_keys.dic
[+] Reading tag CSN
[+] Loaded 88 keys from client/default_keys.dic
[+] Generating diversified keys, MAC
[+] Searching for DEBIT key
[+] Tag info
[+] CSN | 97 AD 1E 01 F8 FF 12 E0
[+] CCNR | FE FF FF FF FF FF FF FF 00 00 00 00
-----+------------------+---------
#key | key | mac
-----+------------------+---------
[ 0] | 0000ffffffffffff | e341d798
[ 1] | 0000000000000000 | 2510f8ce
[ 2] | 0000a0a1a2a3a4a5 | faaed79d
[ 3] | 0000d3f7d3f7d3f7 | 332a78ae
[ 4] | 00005a1b85fce20a | 8d6603cd
[ 5] | 000000000ffe2488 | 0138fa4f
[ 6] | 00000297927c0f77 | 32d0e015
[ 7] | 000026940b21ff5d | 172dd122
[ 8] | 00002ba9621e0a36 | 7b594a4f
[ 9] | 0000434f4d4d4f41 | cbd798ff
[+] ... skip printing the rest
.....
[-] Chunk [0/88] : 11.7s [debit]
[+] Time in iclass checkkeys: 12 seconds
pm3 --> hf iclass dump k AEA684A6DAB23278
.------+--+-------------------------+
CSN |00| 97 AD 1E 01 F8 FF 12 E0 |
------+--+-------------------------+
|01| 12 FF FF FF 7F 1F FF 3C | .......<
|02| FE FF FF FF FF FF FF FF | ........
|03| 99 0B 05 0E 84 A6 B3 0A | ........
|04| FF FF FF FF FF FF FF FF | ........
|05| FF FF FF FF FF FF FF FF | ........
|06| 03 03 03 03 00 03 E0 17 | ........
|07| 2E D7 86 81 51 19 7B 36 | ....Q.{6
|08| 2A D4 C8 21 1F 99 68 71 | *..!..hq
|09| 2A D4 C8 21 1F 99 68 71 | *..!..hq
|0A| FF FF FF FF FF FF FF FF | ........
|0B| FF FF FF FF FF FF FF FF | ........
|0C| FF FF FF FF FF FF FF FF | ........
|0D| FF FF FF FF FF FF FF FF | ........
|0E| FF FF FF FF FF FF FF FF | ........
|0F| FF FF FF FF FF FF FF FF | ........
|10| FF FF FF FF FF FF FF FF | ........
|11| FF FF FF FF FF FF FF FF | ........
|12| FF FF FF FF FF FF FF FF | ........
------+--+-------------------------+
[+] saving dump file - 19 blocks read
[+] saved 152 bytes to binary file iclass_tagdump-97ad1e01f8ff12e0-1.bin
pm3 -->
Is your feature request related to a problem? Please describe.
socrams amiibo tool is already added to the repo, however it is not used anywere.
Describe the solution you'd like
a nice integration with pm3 client, like from identify a amiibo tag, being able to dump decrypted and restore encrypted.
Describe alternatives you've considered
or it can be added like reveng which has its own parameter style / cli.
Okay, I want to read more about proxmark3 rdv40 and make a decision wether it is worth buying or not.
First I go to rfidresearchgroup.com and what I see. It's an instagram with fashionable colourful PCB's?
Not a single line of text with specification. I see black, blue and red PCB's. Are these different models of device? Where should I click? Or should I click on every model and look for differences?
Okay, I click on random device that looks similar to proxmark3. And gallery carousel appears with PCB photos. What?!
Okay I finally find a menu on the top and click on Our Projects --> PROXMARK3 RDV4.0
and get to proxgrind.com. I click on Shop --> Hardware
to read more information about proxmark3 RDV4.0
And here is what I see. Where is the proxmark3 RDV4.0?!
Okay, I found this page http://proxgrind.com/prototyping/proxmark3-rdv4-0-development/ and finally read some useful info.
Then I got to https://lab401.com/collections/hardware/products/proxmark-3-rdv4 to read more information. I still don't get what for the SIM card socket was made and what's the difference between external red HF antenna and assembly blue HF antenna even after watching a video. Which is the long and medium range?
So I look at Assembly Instructions link in resources section. Guess what I get?
I got this: proxmark elechouse RDV version assembly instruction.
Installation / Introduction
manual opens elechouse documents too.
Proxmark3 is a highly specialized device for experts who are expecting to see schemes, accurate technical documents and so on. RDV4.0 looks very cool but it lacks a clear documentation and accurate structure of information on all affiliated sites. I want to see all necessary information on single page, without scrolling tons of slides from kickstarter presentation. I want to see a real comparisons with old revisions and real usage examples. Not a PCB photo gallery.
Here is the example of good product page, take a look for inspiration:
How can we able to clone or read the pin of A sim card with RDV4?!
Thanks
Is your feature request related to a problem? Please describe.
Running raw commands which takes long time to execute the response will be cut.
Don't really know if this is a bug or a feature request :)
Describe the solution you'd like
Adding a timeout option like in hf 14a raw this would become a non-issue.
Additional context
brought to my attention by @doegox
Recovery of ECDSA keys,
Now, question is how many ECDSA keys are there... I see in Amiibo that they seem to use eliptic curve signatures.
See:
https://github.com/tintinweb/ecdsa-private-key-recovery
I don't manage to power up my PM3 RDV4 with my phone (in order to use it with walrus app). I've an One Plus 6T smartphone and it seems that some people dit manage to with smartphones.
TBH, i've already opened an issue here in walrus repository.
My questions are :
Regards
Hi everyone,
I was running my proxmark3 rdv 4 for the second time and decided to follow the instructions for this repo, so I proceeded with the image upgrade.
[ 6552.518021] cdc_acm 1-3:1.0: ttyACM1: USB ACM device
[ 6570.767352] usb 1-3: USB disconnect, device number 77
[ 6573.085096] usb 1-3: new full-speed USB device number 78 using xhci_hcd
[ 6578.237065] usb 1-3: device descriptor read/64, error -110
[ 6583.493272] usb 1-3: New USB device found, idVendor=9ac4, idProduct=4b8f
[ 6583.493274] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 6583.493276] usb 1-3: Product: PM3 Device
[ 6583.493277] usb 1-3: Manufacturer: proxmark.org
[ 6583.493278] usb 1-3: SerialNumber: 888
[ 6583.493814] cdc_acm 1-3:1.0: ttyACM1: USB ACM device
[ 6689.121873] usb 1-3: USB disconnect, device number 78
[ 6691.348203] usb 1-3: new full-speed USB device number 79 using xhci_hcd
[ 6696.712160] usb 1-3: new full-speed USB device number 80 using xhci_hcd
[ 6702.020367] usb 1-3: New USB device found, idVendor=9ac4, idProduct=4b8f
[ 6702.020370] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 6702.020371] usb 1-3: Product: PM3 Device
[ 6702.020372] usb 1-3: Manufacturer: proxmark.org
[ 6702.020373] usb 1-3: SerialNumber: 888
[ 6702.020907] cdc_acm 1-3:1.0: ttyACM1: USB ACM device
root@kali:~/proxmark3RDV4# client/flasher /dev/ttyACM1 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
Loading ELF file bootrom/obj/bootrom.elf
Loading usable ELF segments:
0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
1: V 0x00200000 P 0x00100200 (0x00000d60->0x00000d60) [R X] @0x298
Loading ELF file armsrc/obj/fullimage.elf
Loading usable ELF segments:
0: V 0x00102000 P 0x00102000 (0x00037900->0x00037900) [R X] @0x94
1: V 0x00200000 P 0x00139900 (0x000012bc->0x000012bc) [RW ] @0x37994
Note: Extending previous segment from 0x37900 to 0x38bbc bytes
[+] Waiting for Proxmark to appear on /dev/ttyACM1
..........................................[=] UART Setting serial baudrate 115200 [FPC enabled]
.Found
Entering bootloader...
(Press and release the button only to abort)
[+] Waiting for Proxmark to appear on /dev/ttyACM1
......................[=] UART Setting serial baudrate 115200 [FPC enabled]
. Found
Flashing...
Writing segments for file: bootrom/obj/bootrom.elf
0x00100000..0x001001ff [0x200 / 1 blocks].OK
0x00100200..0x00100f5f [0xd60 / 7 blocks].......OK
Writing segments for file: armsrc/obj/fullimage.elf
0x00102000..0x0013abbb [0x38bbc / 454 blocks].......................................................Foo 128 | 128 (will loop)
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
And then I waited for about 10 minutes with no change. After reconnecting, all I can see with dmesg | grep -i usb
[ 6949.214132] usb 1-3: new full-speed USB device number 88 using xhci_hcd
[ 6966.117994] usb 1-3: new full-speed USB device number 89 using xhci_hcd
[ 6983.021859] usb 1-3: new full-speed USB device number 90 using xhci_hcd
[ 6999.929716] usb 1-3: new full-speed USB device number 91 using xhci_hcd
[ 7016.833577] usb 1-3: new full-speed USB device number 92 using xhci_hcd
[ 7033.737437] usb 1-3: new full-speed USB device number 93 using xhci_hcd
I did received some warnings at first for a armsrc file
Any help is apreciated
This one should be easy to fix but I'm unsure where to look sorry!
I was redirected here by Dennis from the Kickstarter messaging board.
My original Message from 2018/7/31:
I do have have problem with my proxmark. I followed the update instructions at https://github.com/Proxmark/proxmark3/wiki/Kali-Linux
When flashing the new bootrom the following output was produced:
andy@CargoCult:~/Tools/proxmark3/client$ sudo ./flasher /dev/ttyACM0 ../armsrc/obj/fullimage.elf
Loading ELF file '../armsrc/obj/fullimage.elf'...
Loading usable ELF segments:
0: V 0x00102000 P 0x00102000 (0x0002c398->0x0002c398) [R X] @0x94
1: V 0x00200000 P 0x0012e398 (0x00001938->0x00001938) [RW ] @0x2c42c
Note: Extending previous segment from 0x2c398 to 0x2dcd0 bytes
Waiting for Proxmark to appear on /dev/ttyACM0 .
Found.
#db# unknown command:: 0xc20d540d
Entering bootloader...
(Press and release the button only to abort)
Waiting for Proxmark to appear on /dev/ttyACM0 ............
Found.
Flashing...
Writing segments for file: ../armsrc/obj/fullimage.elf
0x00102000..0x0012fccf [0x2dcd0 / 367 blocks]....................Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
After half an hour I canceled the operation. now the proxmark is not detected when plugging in (the A and C lights are red, all four blue lights are lit).
Error-wise I get the following dmesg output:
[ 413.180442] usb 3-4: new full-speed USB device number 26 using xhci_hcd
[ 413.584453] usb 3-4: device descriptor read/64, error -71
[ 416.404493] usb 3-4: New USB device found, idVendor=9ac4, idProduct=4b8f, bcdDevice= 1.00
[ 416.404501] usb 3-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 416.404504] usb 3-4: Product: PM3 Device
[ 416.404506] usb 3-4: Manufacturer: proxmark.org
[ 416.405276] usb 3-4: can't set config #1, error -71
[ 416.405346] usb 3-4: USB disconnect, device number 26
After that Dennis told me on 2018/8/16:
Sorry for delay. Change the cable as we realise there is 1% faulty cables within this KS shipment
As well as (on 2018/9/18):
https://github.com/RfidResearchGroup/proxmark3
Try the new one.
I think your issue is the jumping ports ?
Hold the white button when flashing so the ports will not jump. As I can see now, the proxmark3 is in brick mode.
This was my answer when I tried the suggested fix:
still the same (initially all red and blue lights were blinking), now the A/C lights are red.
Output during flashing:
~/Tools/proxmark3$ sudo client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
Loading ELF file 'bootrom/obj/bootrom.elf'...
Loading usable ELF segments:
0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
1: V 0x00200000 P 0x00100200 (0x00000c8c->0x00000c8c) [R X] @0x298
Loading ELF file 'armsrc/obj/fullimage.elf'...
Loading usable ELF segments:
0: V 0x00102000 P 0x00102000 (0x0002bb98->0x0002bb98) [R X] @0x94
1: V 0x00200000 P 0x0012db98 (0x00001964->0x00001964) [RW ] @0x2bc2c
Note: Extending previous segment from 0x2bb98 to 0x2d4fc bytes
Waiting for Proxmark to appear on /dev/ttyACM0 ................
Found.
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
This will not finish. Dmesg shows, that the USB device disconnects:
[ 1997.250509] usb 3-4: New USB device found, idVendor=9ac4, idProduct=4b8f, bcdDevice= 1.00
[ 1997.250513] usb 3-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 1997.250515] usb 3-4: Product: PM3 Device
[ 1997.250517] usb 3-4: Manufacturer: proxmark.org
[ 1997.250519] usb 3-4: SerialNumber: 888
[ 1997.251321] cdc_acm 3-4:1.0: ttyACM0: USB ACM device
[ 2015.077421] cdc_acm 3-4:1.0: failed to set dtr/rts
[ 2015.319739] usb 3-4: USB disconnect, device number 11
[ 2015.734344] usb 3-4: new full-speed USB device number 12 using xhci_hcd
To this Dennis answered (2018/9/18):
https://github.com/RfidResearchGroup/proxmark3
Test it on a windows computer first.
If not, post an issue here on github.
Sorry for delay.
I did test it under Windows (also on 2018/9/18), found out the following:
Hi, just tested it with Windows: problem is, that the proxmark is not even detected by windows (so no driver is installed). Should I post my Linux findings (and the windows problem) to github or should I test something else before?
I'm still very disturbed that my proxmark seems to be in a bricked state (and I was following the gitlab instructions to the point).
As there was no feedback in the month since I'm moving this to github. I'm still very disturbed that my proxmark3 seems to be bricked after I was using your supplied cable and your instructions to the letter. Not very happy about this.
Describe the bug
[=] ISO7618-3 ATR : 3B 67 00 00 00 00 00 00 00 90 00
Repeating sc reader multiple times:
[=] ISO7618-3 ATR : D5 00 00 3B 67 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] ISO7618-3 ATR : 3B 67 00 00 00 00 00 00 00 90 00
[=] ISO7618-3 ATR : 3B 67 00 00 00 00 00 00 00 90 00
[=] ISO7618-3 ATR : 3B 67 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00
[=] ISO7618-3 ATR : 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] ISO7618-3 ATR : 2C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] ISO7618-3 ATR : 3B 67 00 00 00 00 00 00 00 90 00
[=] ISO7618-3 ATR : 3B 67 00 00 00 00 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00
[=] ISO7618-3 ATR : 3B 67 00 00 00 00 00 00 00 90 00
[=] ISO7816-3 ATR : D5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3B 67 00 00 00 00 00 00 00 90
pm3 --> sc list
[+] Recorded Activity (TraceLen = 41 bytes)
[=]
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
ISO7816-4 / Smartcard - Timings N/A yet
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
0 | 0 | Tag |d5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| | |00 3b 67 00 00 00 00 00 00 00 90 | |
Context:
As the title suggests. In either install.sh or update.sh, I want to create a symlink that points the /dev/cu.usbmodem*** to /dev/pm3.
Where should this function be placed?
Update.sh does not find pm3 ion osx due to the "?" switch not working
Along with the above we have no symlink in place and I think it may be good to put one in.
Original:
function wait4proxmark {
echo >&2 "Waiting for Proxmark to appear..."
while [ ! -c /dev/ttyACM? -a ! -L /dev/pm3-? ]; do
sleep .1
done
local PM3=ls -1 /dev/pm3-? /dev/ttyACM? 2>/dev/null | head -1
echo >&2 -e "Found proxmark on ${PM3}\n"
echo $PM3
}
The following works fine but line 5 also throws a missing ']' error. Not sure about linux yet. Maybe it could be formatted better?
function wait4proxmark {
echo >&2 "Waiting for Proxmark to appear..."
while [ ! -c /dev/ttyACM? || /dev/tty.usbmodem* -a ! -L /dev/pm3-? || /dev/pm3* ]; do
sleep .1
done
local PM3=ls -1 /dev/pm3-? /dev/ttyACM? dev/tty.usbmodem* /dev/pm3* 2>/dev/null | head -1
echo >&2 -e "Found proxmark on ${PM3}\n"
echo $PM3
}
Also I think somewhere it would be good to check OS, detect OS X and put some symlinks in place. Working code:
if [[ $OSTYPE == darwin* ]]; then
echo "I am a Mac - creating symlink to /dev/pm3"
ln -s $PM3 /dev/pm3
;fi
Just a simple question: Is this code compatible with the original proxmark? In other words, can I flash this to my old proxmark?
Hello,
Following instruction :
In order for PM3 RDV20, PM3 RDV30 etc to be flashed with RRG Repo , you must edit these two Makefiles. You need to remove
1. client/Makefile (comment out one line WITH_FPC etc )
2. armsrc/Makefile (comment out three line and move out. WITH_FPC, WITH_SMARTCARD, WITH_FLASH)
recompile and your older device will work nicely
It fail on cmdflashmem.c compilation error, I guess cmdsources should also contain ifdef instruction to include or not fpc, smartcard and flash sources.
Side question: I flashed RDV40 HEAD on a RDV20 (without the mod above), the board doesn't appear anymore after the flash (bootroom and fullimage) in /dev. Is it normal? (I reverted to HEAD of main line in the meantime don't worry).
Thanks,
Describe the bug
The compiler warns us of two potential truncations in CmdHF15Restore
when creating new commands internally:
cmdhf15.c: In function ‘CmdHF15Restore’:
cmdhf15.c:825:25: warning: ‘strncat’ output may be truncated copying 254 bytes from a string of length 999 [-Wstringop-truncation]
strncat(newCmdPrefix, param, sizeof(newCmdPrefix) - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So in newCmdPrefix
(255) we may have to squeeze 1000b (FILE_PATH_SIZE)
cmdhf15.c:900:9: note: ‘snprintf’ output between 6 and 516 bytes into a destination of size 255
snprintf(tmpCmd, sizeof(tmpCmd), "%s u %u %s", newCmdPrefix, i, hex);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So in tmpCmd
(255) we may have to squeeze 4b + 255b (newCommandPrefix, itself a truncated version of FILE_PATH_SIZE, see above) + 2b + 255b (hex)
I'm not sure yet which buffers can be extended or not or if user must be warned of too long paths / too long hex.
I've used the new compile option make PLATFORM=PM3OLD512
for my old proxmark3 with 512k memory. However, I get the following errors with the emv function:
[=] UART Setting serial baudrate 460800
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: iceman
[ ARM ]
bootrom: master/v3.0.1-401-g53edb04-suspect 2018-09-13 18:14:59
os: iceman/master/9f9ee2f1 2019-03-16 12:49:18
[ FPGA ]
LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 230598 bytes (44%) Free: 293690 bytes (56%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> emv search
[=] Channel: CONTACTLESS
[!!] APDU: Reply timeout.
[!!] APDU: Reply timeout.
UART:: write time-out
[!] sending bytes to proxmark failed
[!!] APDU: Reply timeout.
[-] Retry failed [A00000000305076010]. Skipped...
UART:: write time-out
[!] sending bytes to proxmark failed
[!!] APDU: Reply timeout.
UART:: write time-out
[!] sending bytes to proxmark failed
...
EDIT: Same behavior with or without tag.
issuing hf mf chk keys returns nothing
No output from hf mf chk command, "hf mf chk *1 ?" returns no keys and executes in no time and returns: Time in checkkeys: 0 seconds
RDV3 and pm3-easy board, same issue.
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
OS X High Sierra
pm3 --> hw ver
Proxmark3 RFID instrument
[ CLIENT ]
client: iceman build for RDV40 with flashmem; smartcard;
[ ARM ]
bootrom: iceman/master/ 2018-08-13 21:53:19
os: iceman/master/ 2018-08-13 21:53:22
[ FPGA ]
LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
HF image built for 2s30vq100 on 2018/ 8/10 at 11:48:34
[ Hardware ]
--= uC: AT91SAM7S512 Rev B
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 235171 bytes (45) Free: 289117 bytes (55)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
pm3 --> hw status
#db# Memory
#db# BIGBUF_SIZE.............40000
#db# Available memory........40000
#db# Tracing
#db# tracing ................0
#db# traceLen ...............103
#db# Currently loaded FPGA image
#db# mode.................... LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
#db# Flash memory
#db# init....................FAIL
#db# Smart card module (ISO 7816)
#db# version.................FAILED
#db# LF Sampling config
#db# [q] divisor.............95 (125 KHz)
#db# [b] bps.................8
#db# [d] decimation..........1
#db# [a] averaging...........Yes
#db# [t] trigger threshold...0
#db# USB Speed
#db# Sending USB packets to client...
hw tune
#db# Time elapsed............1500ms
#db# Bytes transferred.......806400
#db# USB Transfer Speed PM3 -> Client = 537600 Bytes/s
#db# Various
#db# MF_DBGLEVEL.............1
#db# ToSendMax...............39
#db# ToSendBit...............8
#db# ToSend BUFFERSIZE.......2308
#db# Installed StandAlone Mods
#db# LF HID26 standalone - aka SamyRun (Samy Kamkar)
pm3 --> hw tune
[=] measuring antenna characteristics, please wait...
...
[+] LF antenna: 46.17 V - 125.00 kHz
[+] LF antenna: 28.32 V - 134.00 kHz
[+] LF optimal: 49.43 V - 126.32 kHz
[+] LF antenna is OK
[+] HF antenna: 33.85 V - 13.56 MHz
[+] HF antenna is OK
[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
Additional context
Add any other context about the problem here.
Describe the bug
strange thing, lf search finds a t5577 cloned with visa2000, but lf visa read failes to decode it.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
both lf search and lf visa read should find the tag
Desktop (please complete the following information):
Additional context
could be related to the LF changes.
As found here a link below, to the new default keys file for iClass.
Now we need to fill it with keys.
Sharing is caring!
https://github.com/iceman1001/proxmark3/blob/master/client/default_iclass_keys.dic
Is your feature request related to a problem? Please describe.
Seeing there has been research into these crypton and no implementations (well hitag2 exists )in the pm3 client.
Describe the solution you'd like
The standard command set, like info, read, write, dump, restore inside pm3 client
Additional context
links to documentation is available.
Hi,
How is the procedure of unbricking?
Which tools are needed-same as for pm3rdv2?
-PROXMARK 3 RDV4 - FLASHING SUPPORT (https://lab401.com/products/proxmark-3-rdv4-flash-support)
And which other tool is needed?(Segger J-LINK, Proxmark 3 RDV J-Link adaptor, AVRISP mk2,...)
Would be great to get a short howto.
Thanks
Is your feature request related to a problem? Please describe.
There has been in the wild some clones, like Fudan and some uid changeable card which doesn't have the NACK bug and they use somewhat odd a fixed nonce. Rendering all current Mifare classic attacks useless.
Describe the solution you'd like
A new command hf mf fixednonce that can recover the keys from such a card
Describe alternatives you've considered
Some progress has been done with Fudan cards but they involve sniffing traffic and reuse.
1- How can we have a reader attack with RDV4!?Is it like Rebooted!?
2- Is there any way to add a battery to the RDV4 like rebooted or chameleon REV-G!?
3- Dose a Reader Attack is just for Mifire card or we can have a same attack for ultralight or etc!?
Describe the bug
the lf hitag commands fails to work
To Reproduce
Steps to reproduce the behavior:
Expected behavior
fully functional / verified working card operations with pm3 and a hitag card.
Desktop (please complete the following information):
Additional context
This problem has existed for a while, @doegox brought this to my attention some days ago.
found a hitag2 card today and could verify that the hitag2 commands doesn't work.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.