HydraFW HydraNFC guide

Benjamin Vernoux edited this page Oct 31, 2016 · 41 revisions
Clone this wiki locally

HydraNFC must be plugged on the front side of HydraBus! (PowerOff the HydraBus before to plug HydraNFC)

This guide is updated towards firmware release HydraFW v0.8 Beta: HydraFW (HydraBus) v0.8-beta-0-ga2aab9d 2016-10-13

Read UID of an ISO/IEC_14443 Tag (Only Type A, 4 or 7Bytes UID)

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to read Mifare UID type following commands:
NFC> typea
NFC> scan
ATQA: 04 00
UID:  CD 81 5F 76 (BCC 65 ok)
SAK:  08

You can also define options for scan like continuous mode and its period (in millisecond) (default period is 1000ms).

To stop a scan continuous just press UBTN.

Read UID and data of a MIFARE Ultralight Tag

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to read MIFARE Ultralight UID + 64bytes data, type following commands:
NFC> typea
NFC> scan
ATQA: 44 00
SAK1: 04
SAK2: 00
UID: 04 1F 6E FA 2E 31 83
DATA:
 04 1F 6E FD FA 2E 31 83 66 48 00 00 E1 10 06 00
 03 11 D1 01 0D 55 01 68 79 64 72 61 62 75 73 2E
 63 6F 6D FE 20 62 79 20 53 74 6F 6C 6C 6D 61 6E
 6E FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA UID: 04 1F 6E FA 2E 31 83
 (DATA BCC0 FD ok)
 (DATA BCC1 66 ok)
  • Example to read MIFARE Ultralight and save it to microSD, type following commands:
NFC> read-mf-ul mf-ul-64bytes-data.mfd
ATQA: 44 00
SAK1: 04
SAK2: 00
UID: 04 1F 6E FA 2E 31 83
DATA:
 04 1F 6E FD FA 2E 31 83 66 48 00 00 E1 10 06 00
 03 11 D1 01 0D 55 01 68 79 64 72 61 62 75 73 2E
 63 6F 6D FE 20 62 79 20 53 74 6F 6C 6C 6D 61 6E
 6E FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA UID: 04 1F 6E FA 2E 31 83
 (DATA BCC0 FD ok)
 (DATA BCC1 66 ok)
write file 0:mf-ul-64bytes-data.mfd with success

In this example the file mf-ul-64bytes-data.mfd is created in root directory of microSD card, the file contains all data read from the tag, it is a full dump compatible/same as Libnfc Mifare Dump(but for MIFARE Ultralight)

Read UID of an ISO/IEC 15693 Tag

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to read Vicinity UID type following commands:
NFC> vicinity
NFC> scan
UID: 0x00 0x00 0x6A 0x15 0x3A 0x18 0x00 0x00 0x07 0xE0

You can also define options for scan like continuous mode and its period (in millisecond) (default period is 1000ms).

To stop a scan continuous just press UBTN.

Emul ISO 14443A Tag UID (Alpha version WIP)

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to emulate ISO 14443A tag UID type following commands:
NFC> emul-3a
NFC Tag Emulation UID SDD started
Press user button(UBTN) to stop.

Launch an other shell with a NFC dongle reader like SCM Micro / SCL3711-NFC&RW:

  • nfc-anticol.exe used in this example is a tool part of libnfc 1.7.1
  • HydraNFC Antenna is on top of SCM Micro / SCL3711-NFC reader
nfc-anticol.exe -t
NFC reader: SCM Micro / SCL3711-NFC&RW opened

Sent bits:     26 (7 bits)
Response after 1176 cycles
Received bits: 04  00
Sent bits:     93  20
Response after 1176 cycles
Received bits: cd  81  5f  76  65
Sent bits:     93  70  cd  81  5f  76  65  d1  86
Response after 1176 cycles
Received bits: 20  fc  70
Sent bits:     e0  50  bc  a5
Received bits:
Sent bits:     50  00  57  cd
Received bits:

Found tag with
 UID: cd815f76
ATQA: 0004
 SAK: 20

Emul MIFARE Ultralight Tag (Alpha version WIP)

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to emulate MIFARE Ultralight tag (previously read using read-mf-ul mf-ul-64bytes-data.mfd) type following commands:
NFC> emul-mf-ul filename mf-ul-64bytes-data.mfd
DATA:
 04 1F 6E FD FA 2E 31 83 66 48 00 00 E1 10 06 00
 03 11 D1 01 0D 55 01 68 79 64 72 61 62 75 73 2E
 63 6F 6D FE 20 62 79 20 53 74 6F 6C 6C 6D 61 6E
 6E FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA UID: 04 1F 6E FA 2E 31
 (DATA BCC0 FD ok)
 (DATA BCC1 66 ok)
NFC Emulation Mifare Ultralight started
7Bytes UID: 04 1F 6E FA 2E 31 83
ATQA: 44 00
SAK1: 04
SAK2: 00
Press user button(UBTN) to stop.

Launch an other shell with a NFC dongle reader like SCM Micro / SCL3711-NFC&RW:

  • nfc-mfultralight.exe used in this example is a tool part of libnfc 1.7.1
  • HydraNFC Antenna is on top of SCM Micro / SCL3711-NFC reader
>nfc-mfultralight.exe r dump.mfd
NFC device: SCM Micro / SCL3711-NFC&RW opened
Found MIFARE Ultralight card with UID: 041f6efa2e3183
Reading 16 pages ||
Done, 0 of 16 pages readed.

As this feature is alpha and need a rewrite see https://github.com/bvernoux/hydrafw/issues/43, data cannot be read accurately/correctly today(because of timing problem in emulation...) with reader like SCM Micro / SCL3711-NFC&RW. It is mainly for POC.

Emul Mifare Classic Tag UID (Alpha version WIP)

  • Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
  • Example to emulate Mifare One tag UID type following commands:
NFC> emul-mifare
NFC Emulation Mifare One UID started
Press user button(UBTN) to stop.

Launch an other shell with a NFC dongle reader like SCM Micro / SCL3711-NFC&RW:

  • nfc-anticol.exe used in this example is a tool part of libnfc 1.7.1
  • HydraNFC Antenna is on top of SCM Micro / SCL3711-NFC reader
>nfc-anticol.exe -t
NFC reader: SCM Micro / SCL3711-NFC&RW opened

Sent bits:     26 (7 bits)
Response after 1160 cycles
Received bits: 04  00
Sent bits:     93  20
Response after 1156 cycles
Received bits: cd  81  5f  76  65
Sent bits:     93  70  cd  81  5f  76  65  d1  86
Response after 1152 cycles
Received bits: 08  b6  dd
Sent bits:     50  00  57  cd
Received bits:

Found tag with
 UID: cd815f76
ATQA: 0004
 SAK: 08

Note: Timing can be adjusted to be compliant as expected Response after shall be 1172 cycles.

Unique NFC sniffer design

HydraNFC firmware called HydraFW (requires HydraBus) can sniff ISO14443A PICC and PCD both sides in real-time without any loss (with an ultra optimized synchronization, LUT and asm optimization and of course with the help of TI TRF7970A special raw mode with data sampled @3.39MHz using SPI slave with DMA circular buffer).

The whole process take less than 1µs with code execution from flash memory (checked with oscilloscope worst case):

  1. NFC RX stream synchronization (by counting leading zero or reverse using ASM trick CLZ)
  2. Downsampling by 4 + filtering of raw data
    • 32bits IN (@3.39MHz) => 8bits OUT (848KHz)
  3. Detection of protocol
    • Miller Modified PCD (Card Reader)
    • Manchester PICC (Tag)
  4. Conversion of final decoded data
    • Choose the corresponding Look-Up Table for PICC or PCD
    • 8bits IN (848KHz) => 1bit OUT (106KHz) in ASCII hex stored in SRAM with same syntax as proxmark.
  5. The NFC sniffer can be programmed also to decode and reply in real-time.

So there is room to decode/encode any protocol at up to 1MHz (when NFC is limited to 848KHz).

Advantage is also GPIO of STM32F4 can exceed 80MHz, so it is also possible to encode anything at 13.56MHz (limited by NFC) and define/create custom NFC encoder/decoder.

Launch NFC sniffer from console

  • Using console type nfc sniff + Enter (or pressing & releasing HydraNFC K3 button to start the sniffer, sniff ISO14443A)
  • Stop the sniffer by pressing & releasing HydraNFC K4 button
    • All sniffed data are displayed in console
    • If a MicroSD is present, it will automatically save the trace in a txt file when sniffer is stopped (K4 is pressed & released).

Autonomous/stand-alone sniffer mode

1) The hardware:

  • 1 HydraBus
  • 1 HydraNFC (with NFC Antenna included)
  • 1 MicroSD card (formatted FAT16 or FAT32 up to 32GB)
    • Can be formatted using HydraBus and command sd erase or using Linux/Windows..
  • 1 Power Bank connected on HydraBus Micro USB1 or 2 to power hydrabus+hydranfc boards.

2) Flash official hydrafw firmware 0.4 Beta 55 or more (see https://github.com/bvernoux/hydrafw/releases)

3) Start/Stop the Sniffer:

  • Power the board
  • Start NFC sniffer by pressing & releasing HydraNFC K3 button or HydraBus UBTN button
  • Place the HydraNFC Antenna between the TAG & the Reader.
    • Depending on Tag/Reader, the HydraNFC Antenna shall be not to close to the Tag/Reader and you can add a Corrugated fiberboard between Tag/Reader & HydraNFC Antenna.
  • When you have sniffed enough data stop it by pressing & releasing HydraNFC K4 button (it save data in microSD and green LED blink quickly if all is ok).

4) Read/Analyze sniffed data:

  • With PC microSD reader:
    • Power Off the board extract the microSD and read it with your computer/tablet...
  • With HydraBus:

    • Connect HydraBus to PC and start VT100 Terminal(like putty) using USB Serial COM and use sd commands (sd ls, sd cat myfile.txt ...)
  • Files are created in root of the microsd and are text files with similar format as proxmark (except there's no ! for parity) (saved in a txt file with an incremented number each time)

Sniffer ISO14443A with unique hard real-time infinite trace mode

1) The hardware:

  • 1 PC (Windows or Linux) with up to 3 USB port available (or a USB 2.0 HS Hub).
    • 1 USB port for HydraBus/hydrafw console to configure the sniffer
    • 1 USB port shall be USB 2.0 HighSpeed for the FTDI interface C232HM-DDHSL-0
    • 1 USB port for NFC reader SCL3711 (or equivalent NFC reader can be also an android phone not connected to PC...)
  • 1 NFC reader like SCL3711, android phone(which can read NFC tags)...
  • 1 HydraBus with at least HydraFW v0.8 Beta
  • 1 HydraNFC (with NFC Antenna included)
  • 1 FTDI interface C232HM-DDHSL-0

    • UART FTDI C32HM-DDHSL-0 to HydraBus connection:

      C32HM-DDHSL-0 Pin HydraBus Pin
      Yellow ADBUS1 RX PA9 / USART1_TX
      Black GND GND (near PA9)

2) The PC software:

  • libnfc tools (working with the NFC reader mainly to generate some traffic read tag ...)
    • Can be also done with any NFC reader like android phone with application to read tags ...
  • Putty or other VT100 serial(USB CDC) terminal to configure the sniffer
  • hydratool v0.2 or more (it is for internal use today, contact me by email info@hydrabus.com for this beta version) to retrieve and decode the sniffed data from HydraBus/HydraNFC(@8.4Megabauds 8N1) in real-time.

See setup and results obtained here 13Oct2016_live_sniff_mf_classic.md