ChameleonMini icon indicating copy to clipboard operation
ChameleonMini copied to clipboard

Published 20 hours ago verified publisher icon emsec

Errors/missing parts when sniffing in both directions

Open madalinaStreche opened this issue 4 years ago • 6 comments

I try to record a communication between 2 devices, but from my logs it seems that Chameleon manages to sniff only in one direction: reader -> card. What about the transmitted data from the card to the reader? Are there any updates on this?

madalinaStreche avatar May 27 '20 18:05 madalinaStreche

Hi @madalinaStreche, did you already take a look at #220?

fptrs avatar Jun 03 '20 08:06 fptrs

Hi! I managed to update the Chameleon and now I can see the logs from both sides (card/reader). The other issue that I have right now is the fact that some messages are incomplete, altered or modified. I tried to record an EMV communication between a smartwatch and a Raspberry PI that acts like a POS. I sniffed with the Chameleon the same communication for 20 times, each communication has in total 14 messages(7 from the Raspberry and 7 responses from the smartwatch) and I created a statistics which suggests the frequency of altered/missing/incomplete messages. Most messages that have problems are responses from the smartwatch. Do you have any idea why this is happening? pie-chart (1)

madalinaStreche avatar Aug 13 '20 19:08 madalinaStreche

It might be due to autocalibration not being perfect, so quality of sniff depends on the physical position of the chameleon in the NFC field

ceres-c avatar Aug 13 '20 20:08 ceres-c

@madalinaStreche Sniffing in the direction from reader to card should normally work without problems. The opposite direction is much harder due to the weaker load modulation. So it might depend on setup, calibration etc as the others pointed out.

david-oswald avatar Aug 14 '20 08:08 david-oswald

The autocalibraton mode is available only for reading mode? It will help if I will run the autocalibration in reader mode first and then change to sniffing? Also, I just tried to sniff a real communication between smartwatch and POS during a payment and the statistics are really bad, 95% are altered/missing messages. In this case the messages from the reader have problems too. What is different in this case? I kept the Chameleon right between the smartwatch and POS.

madalinamarin avatar Aug 14 '20 11:08 madalinamarin

https://github.com/emsec/ChameleonMini/issues/220#issuecomment-494812896

Sniffing NFC fields is always a finicky process since reader's field is MUCH stronger than card modulation, which means picking a threshold to discriminate noise from actual data is nontrivial. Have a look at the scope captures in this post for more insight (it's about the Proxmark but the concepts are the same) https://swende.se/blog/PM3-development.html

ceres-c avatar Aug 14 '20 11:08 ceres-c