Proxmark3 easy hid emulation issues


On the left is a proxmark3 easy recently purchased from DT, on the right is an older proxmark3 easy; they are slightly different in size (screws don’t line up so no mixing and matching parts) and the side usb ports are in different locations.

Of particular interest is that when I do a “lf hid sim” (eg lf hid sim -w HID10301 —fc 12 —cn 1337) I can’t get any reader to read it (including the other proxmark). If I try the same thing on my older proxmark3 easy it works perfectly. Exact same firmware flashed on each.

(tldr - both boards function as hid readers, but only the older board can correctly emulate hid)

firmware:

    MCU....... AT91SAM7S512 Rev B
    Memory.... 512 Kb ( 58% used )

    Client.... Iceman/master/v4.14831-604-g65b9a9fb7 2022-05-31 02:11:20
    Bootrom... Iceman/master/v4.14831-604-g65b9a9fb7 2022-05-31 02:11:14 
    OS........ Iceman/master/v4.14831-604-g65b9a9fb7 2022-05-31 02:11:18 
    Target.... PM3 GENERIC

new board:

[=] ---------- LF Antenna ----------
[+] LF antenna: 26.55 V - 125.00 kHz
[+] LF antenna: 20.88 V - 134.83 kHz
[+] LF optimal: 27.06 V - 126.32 kHz
[+] Approx. Q factor (*): 7.2 by frequency bandwidth measurement
[+] Approx. Q factor (*): 7.9 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 15.06 V - 13.56 MHz
[+] Approx. Q factor (*): 4.4 by peak voltage measurement
[+] HF antenna is OK
(*) Q factor must be measured without tag on the antenna
[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

old board:

[=] ---------- LF Antenna ----------
[+] LF antenna: 42.21 V - 125.00 kHz
[+] LF antenna: 38.04 V - 134.83 kHz
[+] LF optimal: 47.40 V - 129.03 kHz
[+] Approx. Q factor (*): 8.4 by frequency bandwidth measurement
[+] Approx. Q factor (*): 13.8 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 34.07 V - 13.56 MHz
[+] Approx. Q factor (*): 9.9 by peak voltage measurement
[+] HF antenna is OK
(*) Q factor must be measured without tag on the antenna
[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

Does anyone else have one of the new proxmark3 easy boards to test with? I can’t tell if it’s just a failed board or if the new pcb design somehow breaks hid emulation.

hmm… are you sure about that firmware matching the client version? When I sent your command I got an error… lf hid sim -w HID10301 —fc 12 —cn 1337

Of course, the command might be structured wrong… but when posting command examples, be sure they accurately represent what you’re actually sending :wink: Also send a screen shot of what you’re actually getting when you send your commands… would be helpful to actually “see” what you’re “seeing”…

Do you get the same FSK sim line on both proxmark3 units with the same parameters?

You’re right, I did get the example in the post wrong (facepalm) and you are correct in the syntax, however I did type it correctly in the actual client.

[usb] pm3 --> lf hid sim -w H10301 --fc 12 --cn 1337
[=] Simulating HID tag
[+] [H10301  ] HID H10301 26-bit                FC: 12  CN: 1337  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 192  CN: 1337  parity ( ok )
[=] found 2 matching formats

[=] Press <Enter> or pm3-button to abort simulation
[#] FSK simulating with rf/50, fc high 10, fc low 8, STT 0, n 4800

same on both (I’ve been literally moving the usb cable between both devices, doing a “hw connect” and then hitting the up arrow to repeat the last command)

One other hardware quirk I’ve noticed is that the GPIO pins for the LEDs on this board aren’t mapped out correctly; when the source says LED_D_ON() it’s actually B that lights up, as a result the reader detection light is B (red light) and not D (blue light).

This is a bit more obvious when in the reader detect signal strength mode

[usb] pm3 --> hw detectreader -L
[=] press pm3 button to change modes and finally exit

[#] LF 125/134kHz Baseline: 73mV
[#] Signal Strength Mode

(button pressed to switch modes)

In this mode the LEDs should be a nice bar graph of A->B->C->D as the signal progresses but with this board it actually lights up A->D->C->B

However what I’ve noticed is that in the hid sim mode I don’t actually get the reader detect led lighting up on this mode. (it should light up D – which it does on the other board – or B because this board is miswired) but I’m only getting the reader detect when I explicitly do hw detectreader -L.

It’s definitely interesting that the LEDs are not wired up in the correct order… that’s lame. What is confusing me here is that the LF components work for basically everything except HID emulation? But like… they are the same components used to read LF tags and emulate them… so I’m totally confused :confused:

I will ask Iceman if he’s ever seen this before… perhaps he will have some input.

1 Like

If you look closely at the command you will see that the -w and —fc have different lengths of dashes (approximately an en dash and an em dash) this is because some “smart” formatter changed --fc to —fc

If you change those back it should work…

1 Like

Tested with my pm3 easy (USB power socket is next to the switch like the one on the right.) and I had to use -w h10301 to get it to work, but my flipper could read it.

Yeah, the one on the right is the working one, which I was also using to check flipper HID functionality. It’s the one on the left with the usb in the corner that I can’t get HID emulation working on. I’ve also been digging into the proxmark3 firmware; stuff like remapping the LEDs to be in the correct order is trivial but I’m also trying to understand how HID emulation is supposed to work to see if the one on the left is salvageable.

I have a legit HID prox reader connected and tested one of our proxmark3 units with the emulation command

lf hid sim -w H10301 --fc 12 --cn 1337

… and it worked great. I will bounce back to your trouble ticket to arrange an RMA.

we heard abt this and got a bunch of pm3 easys ordered from various sources and have only been able to pin it down to random hardware faults that don’t cause problems anywhere else. its awesome you RMA’d this

unfortunately there’s no fix on this on the fw side of things :frowning:

1 Like