HydraFW HydraNFC guide

Benjamin Vernoux edited this page Jul 27, 2017 · 46 revisions

HydraNFC must be plugged on the front side of HydraBus! (PowerOff the HydraBus before to plug HydraNFC)

This guide is updated towards firmware release HydraFW v0.8 Beta: HydraFW (HydraBus) v0.8-beta-0-ga2aab9d 2016-10-13

Read UID of an ISO/IEC_14443 Tag (Only Type A, 4 or 7Bytes UID)

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to read Mifare UID type following commands:
NFC> typea
NFC> scan
ATQA: 04 00
UID:  CD 81 5F 76 (BCC 65 ok)
SAK:  08

You can also define options for scan like continuous mode and its period (in millisecond) (default period is 1000ms).

To stop a scan continuous just press UBTN.

Read UID and data of a MIFARE Ultralight Tag

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to read MIFARE Ultralight UID + 64bytes data, type following commands:
NFC> typea
NFC> scan
ATQA: 44 00
SAK1: 04
SAK2: 00
UID: 04 1F 6E FA 2E 31 83
DATA:
 04 1F 6E FD FA 2E 31 83 66 48 00 00 E1 10 06 00
 03 11 D1 01 0D 55 01 68 79 64 72 61 62 75 73 2E
 63 6F 6D FE 20 62 79 20 53 74 6F 6C 6C 6D 61 6E
 6E FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA UID: 04 1F 6E FA 2E 31 83
 (DATA BCC0 FD ok)
 (DATA BCC1 66 ok)
  • Example to read MIFARE Ultralight and save it to microSD, type following commands:
NFC> read-mf-ul mf-ul-64bytes-data.mfd
ATQA: 44 00
SAK1: 04
SAK2: 00
UID: 04 1F 6E FA 2E 31 83
DATA:
 04 1F 6E FD FA 2E 31 83 66 48 00 00 E1 10 06 00
 03 11 D1 01 0D 55 01 68 79 64 72 61 62 75 73 2E
 63 6F 6D FE 20 62 79 20 53 74 6F 6C 6C 6D 61 6E
 6E FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA UID: 04 1F 6E FA 2E 31 83
 (DATA BCC0 FD ok)
 (DATA BCC1 66 ok)
write file 0:mf-ul-64bytes-data.mfd with success

In this example the file mf-ul-64bytes-data.mfd is created in root directory of microSD card, the file contains all data read from the tag, it is a full dump compatible/same as Libnfc Mifare Dump(but for MIFARE Ultralight)

Read UID of an ISO/IEC 15693 Tag

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to read Vicinity UID type following commands:
NFC> vicinity
NFC> scan
UID: 0x00 0x00 0x6A 0x15 0x3A 0x18 0x00 0x00 0x07 0xE0

You can also define options for scan like continuous mode and its period (in millisecond) (default period is 1000ms).

To stop a scan continuous just press UBTN.

Emul ISO 14443A Tag UID (Alpha version WIP)

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to emulate ISO 14443A tag UID type following commands:
NFC> emul-3a
NFC Tag Emulation UID SDD started
Press user button(UBTN) to stop.

Launch an other shell with a NFC dongle reader like SCM Micro / SCL3711-NFC&RW:

  • nfc-anticol.exe used in this example is a tool part of libnfc 1.7.1
  • HydraNFC Antenna is on top of SCM Micro / SCL3711-NFC reader
nfc-anticol.exe -t
NFC reader: SCM Micro / SCL3711-NFC&RW opened

Sent bits:     26 (7 bits)
Response after 1176 cycles
Received bits: 04  00
Sent bits:     93  20
Response after 1176 cycles
Received bits: cd  81  5f  76  65
Sent bits:     93  70  cd  81  5f  76  65  d1  86
Response after 1176 cycles
Received bits: 20  fc  70
Sent bits:     e0  50  bc  a5
Received bits:
Sent bits:     50  00  57  cd
Received bits:

Found tag with
 UID: cd815f76
ATQA: 0004
 SAK: 20

Emul MIFARE Ultralight Tag (Alpha version WIP)

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to emulate MIFARE Ultralight tag (previously read using read-mf-ul mf-ul-64bytes-data.mfd) type following commands:
NFC> emul-mf-ul filename mf-ul-64bytes-data.mfd
DATA:
 04 1F 6E FD FA 2E 31 83 66 48 00 00 E1 10 06 00
 03 11 D1 01 0D 55 01 68 79 64 72 61 62 75 73 2E
 63 6F 6D FE 20 62 79 20 53 74 6F 6C 6C 6D 61 6E
 6E FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA UID: 04 1F 6E FA 2E 31
 (DATA BCC0 FD ok)
 (DATA BCC1 66 ok)
NFC Emulation Mifare Ultralight started
7Bytes UID: 04 1F 6E FA 2E 31 83
ATQA: 44 00
SAK1: 04
SAK2: 00
Press user button(UBTN) to stop.

Launch an other shell with a NFC dongle reader like SCM Micro / SCL3711-NFC&RW:

  • nfc-mfultralight.exe used in this example is a tool part of libnfc 1.7.1
  • HydraNFC Antenna is on top of SCM Micro / SCL3711-NFC reader
>nfc-mfultralight.exe r dump.mfd
NFC device: SCM Micro / SCL3711-NFC&RW opened
Found MIFARE Ultralight card with UID: 041f6efa2e3183
Reading 16 pages ||
Done, 0 of 16 pages readed.

As this feature is alpha and need a rewrite see https://github.com/bvernoux/hydrafw/issues/43, data cannot be read accurately/correctly today(because of timing problem in emulation...) with reader like SCM Micro / SCL3711-NFC&RW. It is mainly for POC.

Emul Mifare Classic Tag UID (Alpha version WIP)

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to emulate Mifare One tag UID type following commands:
NFC> emul-mifare
NFC Emulation Mifare One UID started
Press user button(UBTN) to stop.

Launch an other shell with a NFC dongle reader like SCM Micro / SCL3711-NFC&RW:

  • nfc-anticol.exe used in this example is a tool part of libnfc 1.7.1
  • HydraNFC Antenna is on top of SCM Micro / SCL3711-NFC reader
>nfc-anticol.exe -t
NFC reader: SCM Micro / SCL3711-NFC&RW opened

Sent bits:     26 (7 bits)
Response after 1160 cycles
Received bits: 04  00
Sent bits:     93  20
Response after 1156 cycles
Received bits: cd  81  5f  76  65
Sent bits:     93  70  cd  81  5f  76  65  d1  86
Response after 1152 cycles
Received bits: 08  b6  dd
Sent bits:     50  00  57  cd
Received bits:

Found tag with
 UID: cd815f76
ATQA: 0004
 SAK: 08

Note: Timing can be adjusted to be compliant as expected Response after shall be 1172 cycles.

Unique NFC sniffer design

HydraNFC firmware called HydraFW (requires HydraBus) can sniff ISO14443A PICC and PCD both sides in real-time without any loss (with an ultra optimized synchronization, LUT and asm optimization and of course with the help of TI TRF7970A special raw mode with data sampled @3.39MHz using SPI slave with DMA circular buffer).

The whole process take less than 1µs with code execution from flash memory (checked with oscilloscope worst case):

  1. NFC RX stream synchronization (by counting leading zero or reverse using ASM trick CLZ)
  2. Downsampling by 4 + filtering of raw data
  • 32bits IN (@3.39MHz) => 8bits OUT (848KHz)
  1. Detection of protocol
  • Miller Modified PCD (Card Reader)
  • Manchester PICC (Tag)
  1. Conversion of final decoded data
  • Choose the corresponding Look-Up Table for PICC or PCD
  • 8bits IN (848KHz) => 1bit OUT (106KHz) in ASCII hex stored in SRAM with same syntax as proxmark.
  • The NFC sniffer can be programmed also to decode and reply in real-time.

So there is room to decode/encode any protocol at up to 1MHz (when NFC is limited to 848KHz).

Advantage is also GPIO of STM32F4 can exceed 80MHz, so it is also possible to encode anything at 13.56MHz (limited by NFC) and define/create custom NFC encoder/decoder.

Launch NFC sniffer from console

  • Using console type nfc sniff + Enter (or pressing & releasing HydraNFC K3 button to start the sniffer, sniff ISO14443A)
  • Stop the sniffer by pressing & releasing HydraNFC K4 button
    • All sniffed data are displayed in console
    • If a MicroSD is present, it will automatically save the trace in a txt file when sniffer is stopped (K4 is pressed & released).

Autonomous/stand-alone sniffer mode

  1. The hardware:
  • 1 HydraBus
  • 1 HydraNFC (with NFC Antenna included)
  • 1 MicroSD card (formatted FAT16 or FAT32 up to 32GB)
    • Can be formatted using HydraBus and command sd erase or using Linux/Windows..
  • 1 Power Bank connected on HydraBus Micro USB1 or 2 to power hydrabus+hydranfc boards.
  1. Flash official hydrafw firmware 0.4 Beta 55 or more (see https://github.com/bvernoux/hydrafw/releases)

  2. Start/Stop the Sniffer:

    • Power the board
    • Start NFC sniffer by pressing & releasing HydraNFC K3 button or HydraBus UBTN button
    • Place the HydraNFC Antenna between the TAG & the Reader.
      • Depending on Tag/Reader, the HydraNFC Antenna shall be not to close to the Tag/Reader and you can add a Corrugated fiberboard between Tag/Reader & HydraNFC Antenna.
    • When you have sniffed enough data stop it by pressing & releasing HydraNFC K4 button (it save data in microSD and green LED blink quickly if all is ok).
  3. Read/Analyze sniffed data:

    • With PC microSD reader:

      • Power Off the board extract the microSD and read it with your computer/tablet...
    • With HydraBus:

      • Connect HydraBus to PC and start VT100 Terminal(like putty) using USB Serial COM and use sd commands (sd ls, sd cat myfile.txt ...)
    • Files are created in root of the microsd and are text files with similar format as proxmark (except there's no ! for parity) (saved in a txt file with an incremented number each time)

Sniffer ISO14443A with unique hard real-time infinite trace mode

1) Hardware required

  • 1 PC (Windows or Linux) with up to 3 USB port available (or a USB 2.0 HS Hub).

    • 1 USB port for HydraBus/hydrafw console to configure the sniffer
    • 1 USB port shall be USB 2.0 HighSpeed for the FTDI interface C232HM-DDHSL-0
    • 1 USB port for NFC reader SCL3711 (or equivalent NFC reader can be also an android phone not connected to PC...)
  • 1 NFC reader like SCL3711, android phone(which can read NFC tags)...

  • 1 HydraBus with at least HydraFW v0.8 Beta

  • 1 HydraNFC (with NFC Antenna included)

  • 1 FTDI interface C232HM-DDHSL-0

    • UART FTDI C32HM-DDHSL-0 to HydraBus connection:

      C32HM-DDHSL-0 Pin HydraBus Pin
      Yellow ADBUS1 RX PA9 / USART1_TX
      Black GND GND (near PA9)

2) PC software required

  • libnfc tools (working with the NFC reader mainly to generate some traffic read tag ...)

    • Can be also done with any NFC reader like android phone with application to read tags ...
  • Putty or other VT100 serial(USB CDC) terminal to configure the sniffer

  • hydratool to retrieve and decode the sniffed data from HydraBus/HydraNFC(@8.4Megabauds 8N1) in real-time.

3) Setup Hardware & PC Software

3-1) Check you have latest HydraBus firmware flashed (or at least HydraFW v0.8 Beta)

  • Check the HydraBus+HydraNFC work fine by reading a tag for example and sniffing an exchange to be sure all work fine.
  • Connect to HydraBus USB (not the FTDI USB) and use command like nfc sniff bin frame-time
    • You can also use hydratool and click on the Terminal icon(toolTip display 2nd Terminal) and select the HydraBus COM port and Apply then enter the command nfc sniff bin frame-time
    • Now the HydraBus is in HydraNFC sniffer mode and any NFC Type A activity is captured in real-time and transmitted over FTDI UART to USB @8.4Mbauds

3-2) Configure the serial port in hydratool

  • In main Window called "HydraNFC real-time sniffer" press settings icon to configure the COM port linked to the FTDI interface C232HM-DDHSL-0 connected to your PC
    • Under Select Serial Port when you click on Combo Box you shall see available COM port else click on Refresh button to refresh them
  • Set BaudRate Combo Box to FTDI 8.4M and click on Apply

3-3) Use the sniffer with HydraBus/HydraNFC

  • If you present an active NFC Type A reader (with Tag if you want to sniff both way) on HydraNFC Antenna you shall see some decoded data displayed in "HydraNFC real-time sniffer" main window

  • See setup and results obtained here using an old version of hydratool 13Oct2016_live_sniff_mf_classic.md

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.