Proxmark seems stuck after `hf emrtd info` on reading passport

[ezhevita]

Describe the bug Proxmark stops responding to any commands after trying to read Russian international passport using command hf emrtd info (and getting timeout during it). Reconnecting (and thus rebooting Proxmark) will bring it back alive.

To Reproduce Steps to reproduce the behavior:

1. Use hf emrtd info ... on a Russian international passport

Expected behavior Passport will be successfully read.

Screenshots

Desktop (please complete the following information):

• OS: macOS 12.4 (21F79) with M1 Pro
• hw version

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  Iceman/master/v4.14831-763-g11e097c1b 2022-07-08 22:46:20 f50237638
  compiled with............. Clang/LLVM Apple LLVM 13.1.6 (clang-1316.0.21.2.5)
  platform.................. OSX / aarch64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... absent
  Python script support..... absent
  Lua SWIG support.......... present
  Python SWIG support....... absent

 [ PROXMARK3 ]
  firmware.................. PM3 GENERIC

 [ ARM ]
  bootrom: Iceman/master/v4.14831-763-g11e097c1b 2022-07-08 22:46:02 f50237638
       os: Iceman/master/v4.14831-763-g11e097c1b 2022-07-08 22:46:17 f50237638
  compiled with GCC 10.2.1 20201103 (release)

 [ FPGA ]
  LF image 2s30vq100 2022-03-23 17:21:05
  HF image 2s30vq100 2022-03-23 17:21:16
  HF FeliCa image 2s30vq100 2022-03-23 17:21:27
  HF 15 image 2s30vq100 2022-03-23 17:21:38

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev A
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 59% used )

• hw status

[#] Memory
[#]   BigBuf_size............. 42492
[#]   Available memory........ 42492
[#] Tracing
[#]   tracing ................ 1
[#]   traceLen ............... 0
[#] Current FPGA image
[#]   mode.................... HF image 2s30vq100 2022-03-23 17:21:16
[#] LF Sampling config
[#]   [q] divisor............. 95 ( 125.00 kHz )
[#]   [b] bits per sample..... 8
[#]   [d] decimation.......... 1
[#]   [a] averaging........... yes
[#]   [t] trigger threshold... 0
[#]   [s] samples to skip..... 0
[#]
[#] LF T55XX config
[#]            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]
[#]            mode            |start|write|write|write| read|write|write
[#]                            | gap | gap |  0  |  1  | gap |  2  |  3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) |  31 |  20 |  18 |  50 |  15 | N/A | N/A |
[#]     long leading reference |  31 |  20 |  18 |  50 |  15 | N/A | N/A |
[#]               leading zero |  31 |  20 |  18 |  40 |  15 | N/A | N/A |
[#]    1 of 4 coding reference |  31 |  20 |  18 |  34 |  15 |  50 |  66 |
[#]
[#] HF 14a config
[#]   [a] Anticol override.... std    ( follow standard )
[#]   [b] BCC override........ std    ( follow standard )
[#]   [2] CL2 override........ std    ( follow standard )
[#]   [3] CL3 override........ std    ( follow standard )
[#]   [r] RATS override....... std    ( follow standard )
[#] Transfer Speed
[#]   Sending packets to client...
[#]   Time elapsed................... 500ms
[#]   Bytes transferred.............. 293888
[#]   Transfer Speed PM3 -> Client... 587776 bytes/s
[#] Various
[#]   Max stack usage......... 4088 / 8480 bytes
[#]   Debug log level......... 1 ( error )
[#]   ToSendMax............... -1
[#]   ToSend BUFFERSIZE....... 2308
[#]   Slow clock.............. 30432 Hz
[#] Installed StandAlone Mode
[#]   HF Mifare sniff/clone - aka MattyRun (Matías A. Ré Medina)
[#]

• data tune

[=] ---------- LF Antenna ----------
[+] LF antenna: 30.44 V - 125.00 kHz
[+] LF antenna: 42.45 V - 134.83 kHz
[+] LF optimal: 43.05 V - 133.33 kHz
[+] Approx. Q factor (*): 8.2 by frequency bandwidth measurement
[+] Approx. Q factor (*): 12.5 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 30.94 V - 13.56 MHz
[+] Approx. Q factor (*): 9.0 by peak voltage measurement
[+] HF antenna is OK

Additional context Despite being tested on the Chinese copy of Proxmark3 Easy, issue is reproducible on other Easy devices and RDV4. Also NFC chip in the passport I was testing isn't faulty - I tried multiple and they all behave the same.

[iceman1001]

looks like there is something with russian epassorts and 0x011E secure file read of EF_COM...

Try enable debug messages, might get more necessary information out.

data setdeb -2
hf emrtd info

did you test to call the hf emrtd info with the "-n -d -e" params set?

[ezhevita]

Setting data setdeb -2 does make no difference, output is the same I was calling with set -n -d -e params, as you can see on the screenshot - without them it will show basic info and stop, since authentication is enforced Also Proxmark gets stuck even after failed authentication:

[iceman1001]

ok, 14B,

Seems to get stuck in the external authentication part where your passport seems to not approve.

And after that your next command fails. Most likely because of field is still on.

[ezhevita]

Is there any debug info I can collect to help?

[iceman1001]

I can confirm that on OSX the emrtd commands get stuck on 8E08 apdu, it creates it but epassport doesnt answer back.

It fails after detecting BrainpoolP384r1 might be related to the mbedtls library we use.

I have confirmed that on ubuntu/wsl it work.

[realytcracker]

client seems to vomit more information on this - prefs set clientdebug --full

after the APDU failure, it locks the device, and you need to unplug and replug to get it working again.

doubly-confirmed, same passport works on ubuntu, fails on x86 and m1 macs.

[=] ------------------ Basic Info ------------------
[+] Communication standard: ISO/IEC 14443(B)
[+] Authentication........: Enforced
[+] PACE..................: Not available
[+] Authentication result.: Successful
[#] cmd: 0CA4020C80000000
[#] data: 011E800000000000
[#] temp: 8FD4DDB974CD9A2C
[#] do87: 8709018FD4DDB974CD9A2C
[#] m: 0CA4020C800000008709018FD4DDB974CD9A2C
[#] ssc-b: 01D4E9C900000000
[#] ssc-a: 01D4E9C900000001
[#] n: 01D4E9C9000000010CA4020C800000008709018FD4DDB974CD9A2C
[#] cc: 2976C3F480D32E36
[#] do8e: 8E082976C3F480D32E36
[#] lc: 21
[#] data: 8709018FD4DDB974CD9A2C8E082976C3F480D32E36
[+] >>>> 0C A4 02 0C 15 87 09 01 8F D4 DD B9 74 CD 9A 2C 8E 08 29 76 C3 F4 80 D3 2E 36 00
[=] You can cancel this operation by pressing the pm3 button
[!!] 🚨 APDU: reply timeout
[!!] 🚨 Failed to secure select 011E
[!!] 🚨 Failed to read EF_COM.

[realytcracker]

edit: nevermind, i am a moron and can't read.

[iceman1001]

it is an odd issue, working on Ubuntu vs not working on M1...

[iceman1001]

@realytcracker I guess you dropped a beat with deadmau5 ?

I don't think this issue will be resolved until someone starts debugging the mbedtls library calls.

Close until someone finds more luck?

[realytcracker]

yes indeed - i lead i very weird existence.if i harvest some time somewhere, i might take a stab at a PR myself to end these shenanigans. feel free to close in the meantime.hacky new year and i hope you are well!On Jan 8, 2023, at 11:30 AM, Iceman @.***> wrote: @realytcracker I guess you dropped a beat with deadmau5 ? I don't think this issue will be resolved until someone starts debugging the mbedtls library calls. Close until someone finds more luck?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

[anders0l]

same issue for me - stuck on mac os with m1 max and fully work on Ubuntu in UTM virtualisation

please keep this issue open as maybe someone will dive into

[ThreeSixes]

I also have the same issue on an X86 Mac.

[piotrva]

Observed even more drastic behavior with Polish passport - both on Linux and Windows machines Proxmark3 hardware reboots after a few seconds following read command...

[iceman1001]

There is a memory issue, where several 14B apdu calls eats up the bigbuff and eventually into the stack and the device hangs.

[anders0l]

There is a memory issue, where several 14B apdu calls eats up the bigbuff and eventually into the stack and the device hangs.

On my mac, I've got 64gb unified memory and 400GB/s of memory bandwidth, and it's definitely not memory issue. Except there is some configuration memory limit in proxmark itself

[piotrva]

@anders0l - I think this memory is related to internal memory in Proxmark MCU...

[iceman1001]

I was unclear. it is device side related.

[piotrva]

Do RDV4.01 have bigger internal RAM than others?

[iceman1001]

no, it has 64k ram like most MCU from that product line

[piotrva]

Tested new firmware (Iceman/master/v4.17768-170-gf48d49556). Now with Polish Passport I get:

[usb] pm3 --> hf em info -n AB1234567 -d 123456 -e 123456
[=] ..
[=] Authentication is enforced
[=] Switching to external authentication...
[!!] APDU: no APDU response
[!!] Couldn't do external authentication. Did you supply the correct MRZ info?

[=] ------------------ Basic Info ------------------
[+] Communication standard: ISO/IEC 14443(B)
[+] Authentication........: Enforced
[+] PACE..................: Available
[+] Authentication result.: Failed

[=] ----------------- EF_CardAccess ----------------
[+] PACE version..........: 2
[+] PACE algorithm........: ECDH, Generic Mapping, 3DES-CBC-CBC
[+] PACE parameter........: NIST P-256 (secp256r1)

So good news is the device is not rebooting. Bad news - still not reading the data ;)

[iceman1001]

if you add

data setde -2
hf emrtd info -n AB1234567 -d 123456 -e 123456
trace save -f polish_pp_nAB1234567_d123456_e123456
hf emrtd list
data setde -0

One can look and see what is going wrong in the trace if any and you should have gotten a longer more detailed output

[piotrva]

Well, it might expose some sensitive data, as this is my actual valid passport...

[iceman1001]

In that case you are on your own, I can't not help out. But look at the output and see where it stops

[iceman1001]

Try pulling latest and flash, need to test if it is fixed.

[piotrva]

Hi, again same result

[usb] pm3 --> hf em info -n AB1234567 -d 123456 -e 123456
[=] ..
[=] Authentication is enforced
[=] Switching to external authentication...
[!!] APDU: no APDU response
[!!] Couldn't do external authentication. Did you supply the correct MRZ info?

[=] ------------------ Basic Info ------------------
[+] Communication standard: ISO/IEC 14443(B)
[+] Authentication........: Enforced
[+] PACE..................: Available
[+] Authentication result.: Failed

[=] ----------------- EF_CardAccess ----------------
[+] PACE version..........: 2
[+] PACE algorithm........: ECDH, Generic Mapping, 3DES-CBC-CBC
[+] PACE parameter........: NIST P-256 (secp256r1)

Maybe I can send you trace data using some secure channel?

[iceman1001]

Well, either your passport doesn't support BAC,

[!!] Couldn't do external authentication. Did you supply the correct MRZ info?

and we don't support PACE.

The first question is, does your pm3 client hang still?
the second is that your password is most likely PACE...

[piotrva]

No, same as I mentioned before - now proxmark does not hang - that is the good news.

Is there any literature I can probably read about the BAC and PACE?

[iceman1001]

use your google-foo to find about machine readable documents. Should be public information

[iceman1001]

Closing , since original issue is solved.

[ezhevita]

@iceman1001 I can still reproduce this issue using the latest pm3 client and firmware