proxmark3 icon indicating copy to clipboard operation
proxmark3 copied to clipboard
verified publisher icon RfidResearchGroup

Proxmark3 locks up when running hf mf sim

Open YuyangisCoding opened this issue 7 months ago • 3 comments

Description
When using the hf mf eload command to load a MIFARE dump into the emulator’s memory and then running hf mf sim to simulate the card, the operation succeeds roughly 1 in 10 times (i.e. the door opens once), but on the other attempts the Proxmark3 becomes unresponsive (All 4 LEDs flash chaotically) until it is power-cycled. Cloning and reading workflows function correctly; only the load + simulate sequence is affected.

Steps to Reproduce

  1. Connect the Proxmark3 Easy 512 K to macOS 15.4.1 via USB.
  2. In the pm3 client, load a previously captured dump into the emulator: 
    [usb|script] pm3 --> hf mf eload -f hf-mf-XXXXXXXX-dump.bin  
[=] Upload 64 blocks 1024 bytes  
[+] Loaded 1024 bytes from binary file hf-mf-XXXXXXXX-dump.bin  
[=] Uploading to emulator memory  
[=] ....  
[?] Hint: You are ready to simulate. See hf mf sim -h  
[=] Done!
  3. Attempt to simulate the card: 
    [usb|script] pm3 --> hf mf sim --1k -u XXXXXXXX -i  
[=] MIFARE 1K | 4 bytes UID  XX XX XX XX  
[=] Options [ numreads: 0, flags: 81 (0x0051) ]  
[=] Press pm3 button or a key to abort simulation  
[#] Enforcing Mifare 1K ATQA/SAK  
[#] 4B UID: XXXXXXXX  
[#] ATQA  : 00 04  
[#] SAK   : 08  

[!]   Communicating with Proxmark3 device failed
  4. Observe that the Proxmark3 LEDs flash erratically and the client no longer responds.
  5. Reconnect the device’s power—after which the client becomes operational again, but the door lock never responds without a successful simulation.

Actual Behavior

  • Only few attempts work.
  • Most attempts fail with a communication error, and the Proxmark3 firmware appears to lock up (LEDs flash, no client interaction).
  • A power-cycle is required to restore functionality.

Expected Behavior

  • Every hf mf eloadhf mf sim cycle should reliably simulate the card in emulator mode without requiring a reset.
  • The Proxmark3 should remain responsive after a failed simulation, allowing immediate retry.

Environment

  • OS: macOS 15.4.1 (aarch64)
  • Proxmark3 Model: Easy 512 K
  • hw output :
[usb] pm3 --> hw version 

[ Proxmark3 ]

[ Client ]
 Iceman/master/v4.20142-90-gb2983ba02-suspect 2025-05-01 12:09:42 fee7ca416
 Compiler.................. Clang/LLVM Apple LLVM 17.0.0 (clang-1700.0.13.3)
 Platform.................. OSX / aarch64
 Readline support.......... present
 QT GUI support............ absent
 Native BT support......... absent
 Python script support..... present ( 3.13.3 )
 Python SWIG support....... present
 Lua script support........ present ( 5.4.7 )
 Lua SWIG support.......... present

[ Model ]
 Firmware.................. PM3 GENERIC

[ ARM ]
 Bootrom.... Iceman/master/v4.20142-90-gb2983ba02-suspect 2025-05-01 12:09:43 fee7ca416
 OS......... Iceman/master/v4.20142-90-gb2983ba02-suspect 2025-05-01 12:09:43 fee7ca416
 Compiler... GCC 13.3.1 20240614

[ FPGA ] 
fpga_pm3_hf.ncd image 2s30vq100 24-04-2025 15:06:23
fpga_pm3_lf.ncd image 2s30vq100 24-04-2025 15:06:23
fpga_pm3_felica.ncd image 2s30vq100 24-04-2025 15:06:23
fpga_pm3_hf_15.ncd image 2s30vq100 24-04-2025 15:06:23

[ Hardware ]
 --= uC: AT91SAM7S512 Rev A
 --= Embedded Processor: ARM7TDMI
 --= Internal SRAM size: 64K bytes
 --= Architecture identifier: AT91SAM7Sxx Series
 --= Embedded flash memory 512K bytes ( 67% used )

[usb] pm3 --> hw tune 

[=] -------- Reminder ----------------------------
[=] `hw tune` doesn't actively tune your antennas.
[=] It's only informative.
[=] Measuring antenna characteristics...
🕛   9

[=] -------- LF Antenna ----------
[+] 125.00 kHz ........... 25.71 V
[+] 134.83 kHz ........... 17.85 V
[+] 121.21 kHz optimal.... 26.36 V
[+] 
[+] Approx. Q factor measurement
[+] Frequency bandwidth... 6.3
[+] Peak voltage.......... 7.7
[+] LF antenna............ ok

[=] -------- HF Antenna ----------
[+] 13.56 MHz............. 16.05 V
[+] 
[+] Approx. Q factor measurement
[+] Peak voltage.......... 4.7
[+] HF antenna ( ok )

[=] -------- LF tuning graph ------------
[+] Orange line - divisor 95 / 125.00 kHz
[+] Blue line - divisor   88 / 134.83 kHz

No GUI in this build!

[=] Q factor must be measured without tag on the antenna

[usb] pm3 --> hw status 
[#] Memory
[#]   BigBuf_size............. 40120
[#]   Available memory........ 40120
[#] Tracing
[#]   tracing ................ 1
[#]   traceLen ............... 0
[#] Current FPGA image
[#]   mode.................... fpga_pm3_hf.ncd image 2s30vq100 24-04-2025 15:06:23
[#] LF Sampling config
[#]   [q] divisor............. 95 ( 125.00 kHz )
[#]   [b] bits per sample..... 8
[#]   [d] decimation.......... 1
[#]   [a] averaging........... yes
[#]   [t] trigger threshold... 0
[#]   [s] samples to skip..... 0 
[#] 
[#] LF T55XX config
[#]            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]
[#]            mode            |start|write|write|write| read|write|write
[#]                            | gap | gap |  0  |  1  | gap |  2  |  3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) |  31 |  20 |  18 |  50 |  15 | n/a | n/a | 
[#]     long leading reference |  31 |  20 |  18 |  50 |  15 | n/a | n/a | 
[#]               leading zero |  31 |  20 |  18 |  40 |  15 | n/a | n/a | 
[#]    1 of 4 coding reference |  31 |  20 |  18 |  34 |  15 |  50 |  66 | 
[#] 
[#] HF 14a config
[#]   [a] Anticol override.............. std    ( follow standard )
[#]   [b] BCC override.................. std    ( follow standard )
[#]   [2] CL2 override.................. std    ( follow standard )
[#]   [3] CL3 override.................. std    ( follow standard )
[#]   [r] RATS override................. std    ( follow standard )
[#]   [m] Magsafe polling............... disabled
[#]   [p] Polling loop annotation....... disabled 00000000000000000000000000000000
[#] Transfer Speed
[#]   Sending packets to client...
[#]   Time elapsed................... 500ms
[#]   Bytes transferred.............. 376320
[#]   Transfer Speed PM3 -> Client... 752640 bytes/s
[#] Various
[#]   Max stack usage......... 3520 / 8480 bytes
[#]   Debug log level......... 1 ( error )
[#]   ToSendMax............... -1
[#]   ToSend BUFFERSIZE....... 2308
[#]   Slow clock.............. 32241 Hz
[#] Installed StandAlone Mode
[#]   LF HID26 standalone - aka SamyRun (Samy Kamkar)

YuyangisCoding avatar May 01 '25 12:05 YuyangisCoding

We have had some issues with fpga images which influence the iso15/iclass simulation , this has been fixed.

How about you pull latest and test again?

iceman1001 avatar Jun 08 '25 20:06 iceman1001

Ping, Would you mind verifying that with the latest source this issue still exists?

iceman1001 avatar Sep 03 '25 06:09 iceman1001

Sorry for the late reply. I’ve pulled the latest, and the issue still exists.

Image

YuyangisCoding avatar Sep 07 '25 13:09 YuyangisCoding