ISO 14443B simulation does not work

[jacopo-j]

Describe the bug The hf 14b sim feature does not seem to work properly: readers do not detect the simulated tag.

To Reproduce

1. Run hf 14b sim -u 11AA33BB

Expected behavior External readers detect the presence of a tag.

Desktop (please complete the following information):

• OS: macOS

hw version

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  Iceman/master/v4.14831-530-g8236de119-dirty-unclean 2022-04-04 00:23:11 917abd9ba
  compiled with............. Clang/LLVM Apple LLVM 13.1.6 (clang-1316.0.21.2)
  platform.................. OSX / aarch64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... absent
  Python script support..... present
  Lua SWIG support.......... present
  Python SWIG support....... present

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: Iceman/master/v4.14831-530-g8236de119-dirty-unclean 2022-04-03 15:24:18 e49e4ed9a
       os: Iceman/master/v4.14831-530-g8236de119-dirty-unclean 2022-04-04 00:23:13 917abd9ba
  compiled with GCC 10.3.1 20210824 (release)

 [ FPGA ]
  LF image 2s30vq100 2022-03-23 17:21:05
  HF image 2s30vq100 2022-03-23 17:21:16
  HF FeliCa image 2s30vq100 2022-03-23 17:21:27
  HF 15 image 2s30vq100 2022-03-23 17:21:38

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 58% used )

hw status

[#] Memory
[#]   BigBuf_size............. 42784
[#]   Available memory........ 42784
[#] Tracing
[#]   tracing ................ 1
[#]   traceLen ............... 0
[#] Current FPGA image
[#]   mode.................... HF image 2s30vq100 2022-03-23 17:21:16
[#] LF Sampling config
[#]   [q] divisor............. 95 ( 125.00 kHz )
[#]   [b] bits per sample..... 8
[#]   [d] decimation.......... 1
[#]   [a] averaging........... yes
[#]   [t] trigger threshold... 0
[#]   [s] samples to skip..... 0
[#]
[#] LF T55XX config
[#]            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]
[#]            mode            |start|write|write|write| read|write|write
[#]                            | gap | gap |  0  |  1  | gap |  2  |  3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) |  31 |  20 |  18 |  50 |  15 | N/A | N/A |
[#]     long leading reference |  31 |  20 |  18 |  50 |  15 | N/A | N/A |
[#]               leading zero |  31 |  20 |  18 |  40 |  15 | N/A | N/A |
[#]    1 of 4 coding reference |  31 |  20 |  18 |  34 |  15 |  50 |  66 |
[#]
[#] HF 14a config
[#]   [a] Anticol override.... std    ( follow standard )
[#]   [b] BCC override........ std    ( follow standard )
[#]   [2] CL2 override........ std    ( follow standard )
[#]   [3] CL3 override........ std    ( follow standard )
[#]   [r] RATS override....... std    ( follow standard )
[#] Transfer Speed
[#]   Sending packets to client...
[#]   Time elapsed................... 500ms
[#]   Bytes transferred.............. 300032
[#]   Transfer Speed PM3 -> Client... 600064 bytes/s
[#] Various
[#]   Max stack usage......... 4088 / 8480 bytes
[#]   Debug log level......... 1 ( error )
[#]   ToSendMax............... -1
[#]   ToSend BUFFERSIZE....... 2308
[#]   Slow clock.............. 32120 Hz
[#] Installed StandAlone Mode
[#]  HF 14B SNIFF,  a ISO14443b sniffer

data tune

[=] ---------- HF Antenna ----------
[+] HF antenna: 31,08 V - 13.56 MHz
[+] Approx. Q factor (*): 9,0 by peak voltage measurement
[+] HF antenna is OK

Additional context

• ISO 14443A emulation works properly
• Traces show that the emulated tag correctly responds to the reader WUPB commands, however, the reader does not seem to "hear" the tag. This suggests it may be an encoding/modulation problem. The same happens with multiple different readers.

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |
          0 |          0 | Rdr |05  00  08  39  73                                                       |  ok | WUPB
          0 |          0 | Tag |50  11  aa  33  bb  20  38  19  22  00  21  85  7e  59                   |  ok |

[codecat007]

I tested on Raspberry Pi 3B, ISO 14443B simulation also does not work. It seems there is a problem with this feature.

[iceman1001]

hf 14b commands would need some more love. Feel free to contribute!

[valtoo16]

I have an emulation system for an srt512 if you wish (the code is not clean at all but functional)

[jacopo-j]

@valtoo16 that is interesting, can you share a repository or a gist with the complete code?

[iceman1001]

@valtoo16 If you have a fix for 14b, you are welcome to make a PR

[iceman1001]

We have better support for shallow mode in 14B reader. Not that it will help for simulation but it will help when developing sim commands.

[iceman1001]

@valtoo16 your code?

[AkechiShiro]

Hi I'd like to help work on this feature, but I have never contributed to this project, what would be a good way to start making progress for this feature ?

Do I need a reader and a card in order to sniff their communication and see why the emulation is not the same using a Proxmark3RDV4?

[iceman1001]

There are no implementation of a 14B protocol to start with.
So you would need to first to that, then you would debug with reader/sniffer

[iceman1001]

I love to see you contribute!

[AkechiShiro]

Is there some documentation on how to add get started adding a new protocol ? (I'll fork the repo for now and start reading the code for a well implemented protocol do you have any recommendation @iceman1001)

[iceman1001]

you need 14B data sheets, then you can look at armsrc/iso14443b.c to start with...

[iceman1001]

hf 14b commands have gotten some serious love and works better now.

Feel free to improve the simulation.

[AkechiShiro]

Thanks a lot for letting us know here, I'll try and test it at some point (when I have some free time), I'll report on it when I do and try to see if I we can work on documenting what works and what doesn't, I guess.