Proxmark3 easy hid emulation issues


On the left is a proxmark3 easy recently purchased from DT, on the right is an older proxmark3 easy; they are slightly different in size (screws don’t line up so no mixing and matching parts) and the side usb ports are in different locations.

Of particular interest is that when I do a “lf hid sim” (eg lf hid sim -w HID10301 —fc 12 —cn 1337) I can’t get any reader to read it (including the other proxmark). If I try the same thing on my older proxmark3 easy it works perfectly. Exact same firmware flashed on each.

(tldr - both boards function as hid readers, but only the older board can correctly emulate hid)

firmware:

    MCU....... AT91SAM7S512 Rev B
    Memory.... 512 Kb ( 58% used )

    Client.... Iceman/master/v4.14831-604-g65b9a9fb7 2022-05-31 02:11:20
    Bootrom... Iceman/master/v4.14831-604-g65b9a9fb7 2022-05-31 02:11:14 
    OS........ Iceman/master/v4.14831-604-g65b9a9fb7 2022-05-31 02:11:18 
    Target.... PM3 GENERIC

new board:

[=] ---------- LF Antenna ----------
[+] LF antenna: 26.55 V - 125.00 kHz
[+] LF antenna: 20.88 V - 134.83 kHz
[+] LF optimal: 27.06 V - 126.32 kHz
[+] Approx. Q factor (*): 7.2 by frequency bandwidth measurement
[+] Approx. Q factor (*): 7.9 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 15.06 V - 13.56 MHz
[+] Approx. Q factor (*): 4.4 by peak voltage measurement
[+] HF antenna is OK
(*) Q factor must be measured without tag on the antenna
[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

old board:

[=] ---------- LF Antenna ----------
[+] LF antenna: 42.21 V - 125.00 kHz
[+] LF antenna: 38.04 V - 134.83 kHz
[+] LF optimal: 47.40 V - 129.03 kHz
[+] Approx. Q factor (*): 8.4 by frequency bandwidth measurement
[+] Approx. Q factor (*): 13.8 by peak voltage measurement
[+] LF antenna is OK
[=] ---------- HF Antenna ----------
[+] HF antenna: 34.07 V - 13.56 MHz
[+] Approx. Q factor (*): 9.9 by peak voltage measurement
[+] HF antenna is OK
(*) Q factor must be measured without tag on the antenna
[+] Displaying LF tuning graph. Divisor 88 (blue) is 134.83 kHz, 95 (red) is 125.00 kHz.

Does anyone else have one of the new proxmark3 easy boards to test with? I can’t tell if it’s just a failed board or if the new pcb design somehow breaks hid emulation.

hmm… are you sure about that firmware matching the client version? When I sent your command I got an error… lf hid sim -w HID10301 —fc 12 —cn 1337

Of course, the command might be structured wrong… but when posting command examples, be sure they accurately represent what you’re actually sending :wink: Also send a screen shot of what you’re actually getting when you send your commands… would be helpful to actually “see” what you’re “seeing”…

Do you get the same FSK sim line on both proxmark3 units with the same parameters?

You’re right, I did get the example in the post wrong (facepalm) and you are correct in the syntax, however I did type it correctly in the actual client.

[usb] pm3 --> lf hid sim -w H10301 --fc 12 --cn 1337
[=] Simulating HID tag
[+] [H10301  ] HID H10301 26-bit                FC: 12  CN: 1337  parity ( ok )
[+] [ind26   ] Indala 26-bit                    FC: 192  CN: 1337  parity ( ok )
[=] found 2 matching formats

[=] Press <Enter> or pm3-button to abort simulation
[#] FSK simulating with rf/50, fc high 10, fc low 8, STT 0, n 4800

same on both (I’ve been literally moving the usb cable between both devices, doing a “hw connect” and then hitting the up arrow to repeat the last command)

One other hardware quirk I’ve noticed is that the GPIO pins for the LEDs on this board aren’t mapped out correctly; when the source says LED_D_ON() it’s actually B that lights up, as a result the reader detection light is B (red light) and not D (blue light).

This is a bit more obvious when in the reader detect signal strength mode

[usb] pm3 --> hw detectreader -L
[=] press pm3 button to change modes and finally exit

[#] LF 125/134kHz Baseline: 73mV
[#] Signal Strength Mode

(button pressed to switch modes)

In this mode the LEDs should be a nice bar graph of A->B->C->D as the signal progresses but with this board it actually lights up A->D->C->B

However what I’ve noticed is that in the hid sim mode I don’t actually get the reader detect led lighting up on this mode. (it should light up D – which it does on the other board – or B because this board is miswired) but I’m only getting the reader detect when I explicitly do hw detectreader -L.

It’s definitely interesting that the LEDs are not wired up in the correct order… that’s lame. What is confusing me here is that the LF components work for basically everything except HID emulation? But like… they are the same components used to read LF tags and emulate them… so I’m totally confused :confused:

I will ask Iceman if he’s ever seen this before… perhaps he will have some input.

2 Likes

If you look closely at the command you will see that the -w and —fc have different lengths of dashes (approximately an en dash and an em dash) this is because some “smart” formatter changed --fc to —fc

If you change those back it should work…

2 Likes

Tested with my pm3 easy (USB power socket is next to the switch like the one on the right.) and I had to use -w h10301 to get it to work, but my flipper could read it.

Yeah, the one on the right is the working one, which I was also using to check flipper HID functionality. It’s the one on the left with the usb in the corner that I can’t get HID emulation working on. I’ve also been digging into the proxmark3 firmware; stuff like remapping the LEDs to be in the correct order is trivial but I’m also trying to understand how HID emulation is supposed to work to see if the one on the left is salvageable.

I have a legit HID prox reader connected and tested one of our proxmark3 units with the emulation command

lf hid sim -w H10301 --fc 12 --cn 1337

… and it worked great. I will bounce back to your trouble ticket to arrange an RMA.

we heard abt this and got a bunch of pm3 easys ordered from various sources and have only been able to pin it down to random hardware faults that don’t cause problems anywhere else. its awesome you RMA’d this

unfortunately there’s no fix on this on the fw side of things :frowning:

2 Likes

i am running into the same issue simulating HID prox with PM3.

lf hid sim -w H10301 --fc 118 --cn 1603

other than RMA, i was wondering if anyone has suggestion on what else to test.

so far, i have been successfully cloning HID prox, em and AWID to the T55xx, i know the lf side works.

i tried the hw detectreader -L as well. reader is reading LF and read the cloned T55xx and door unlocked.

to add to this, i bought 4 units recently… tried on all four with the same ‘bad’ result.

when in sim mode, the first led A lid, green color.

Ok so this indicates to me that it is actually working properly… How are you determining that it’s not working?

i presented the unit to the card reader and it did not read anything.

btw, i also have FlipperZero to read and emulate prox and it works, my card reader read the emulation from Flipper zero.

Can you read the emulation with the flipper? The reader at a door might have other issues.

When emulating with the proxmark3, there is only the green LED on and no other LEDs, other than white power indicator?

1 Like

and write…

1 Like

My suspicion is that there’s a hardware implementation issue with some of the Proxmark3 easy cards. Here’s what happens on the rdv4:

MCU....... AT91SAM7S512 Rev B
Memory.... 512 KB ( 69% used )

Client.... Iceman/master/v4.17768-11-g69cc139c7-dirty 2024-01-04 07:03:23
Bootrom... Iceman/master/v4.17768-11-g69cc139c7-dirty-suspect 2024-01-04 07:08:27
OS........ Iceman/master/v4.17768-11-g69cc139c7-dirty-suspect 2024-01-04 07:08:43
Target.... RDV4

[usb] pm3
[usb] pm3 → lf hid sim -w h10301 --fc 100 --cn 90
[=] Simulating HID tag
[+] [H10301 ] HID H10301 26-bit FC: 100 CN: 90 parity ( ok )
[+] [ind26 ] Indala 26-bit FC: 1600 CN: 90 parity ( ok )
[=] found 2 matching formats

[=] Press pm3 button or press to abort simulation
[#] FSK simulating with rf/50, fc high 10, fc low 8, STT 0, n 4800
[#] Starting simulation: period=4800, gap=0, ledcontrol=1, numcycles = -1
[#] End simulation: short=99043, open=99039, fieldDetectCount=553973, loopCount=198082, lowCount=38092, gotLow=1
[=] Done
[usb] pm3

And here’s what happens on the Proxmark3 Easy (build is slightly different, but it doesn’t matter)

MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 61% used )

Client.... Iceman/master/v4.17768-4-g50a252c8c-dirty 2024-01-03 11:25:09
Bootrom... Iceman/master/v4.17768-4-g50a252c8c-dirty-suspect 2024-01-03 11:25:51
OS........ Iceman/master/v4.17768-4-g50a252c8c-dirty-suspect 2024-01-03 11:26:06
Target.... PM3 GENERIC

[usb] pm3 → lf hid sim -w h10301 --fc 100 --cn 90
[=] Simulating HID tag
[+] [H10301 ] HID H10301 26-bit FC: 100 CN: 90 parity ( ok )
[+] [ind26 ] Indala 26-bit FC: 1600 CN: 90 parity ( ok )
[=] found 2 matching formats

[=] Press pm3 button or press to abort simulation
[#] FSK simulating with rf/50, fc high 10, fc low 8, STT 0, n 4800
[#] Starting simulation: period=4800, gap=0, ledcontrol=1, numcycles = -1
[#] End simulation: short=4, open=1, fieldDetectCount=0, loopCount=5, lowCount=4, gotLow=1
[=] Done
[usb] pm3

And here’s what happens on the Proxmark3 rdv2:

MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 61% used )

Client.... Iceman/master/v4.17768-4-g50a252c8c-dirty 2024-01-03 11:25:09
Bootrom... Iceman/master/v4.17768-4-g50a252c8c-dirty-suspect 2024-01-03 11:25:51
OS........ Iceman/master/v4.17768-4-g50a252c8c-dirty-suspect 2024-01-03 11:26:06
Target.... PM3 GENERIC

[usb] pm3 → lf hid sim -w h10301 --fc 100 --cn 90
[=] Simulating HID tag
[+] [H10301 ] HID H10301 26-bit FC: 100 CN: 90 parity ( ok )
[+] [ind26 ] Indala 26-bit FC: 1600 CN: 90 parity ( ok )
[=] found 2 matching formats

[=] Press pm3 button or press to abort simulation
[#] FSK simulating with rf/50, fc high 10, fc low 8, STT 0, n 4800
[#] Starting simulation: period=4800, gap=0, ledcontrol=1, numcycles = -1
[#] End simulation: short=545204, open=545200, fieldDetectCount=3117085, loopCount=1090404, lowCount=252178, gotLow=1
[=] Done
[usb] pm3

If it wasn’t clear, some debug code was inserted to output debug messages for some variables in the simulation code. I was able to read the rdv2 and rdv4 simulations with the Flipper Zero, however the Proxmark3 Easy could not be read.

I have tried this with three different proxmark3 easy cards. These appear to be identical builds. There’s an oval sticker with “512” on it, and a barcode sticker with “Proxmark3 Easy” and the value 131908866 on the barcode. None of the Proxmark3 Easy devices could be read with the Flipper Zero.

I’ve tried em 410x simulations, and those show basically the same behavior, working on the rdv2 and rdv4 devices, but not on the Proxmark3 Easy.

My conclusion is that there’s an issue with this particular version of the Proxmark3 Easy, and it’s not an issue with the software. I think it’s an issue with SSP_CLK or SSP_FRAME not being generated or transmitted to the cpu correctly, but I have no drawings for the Proxmark3 Easy, so I’m just guessing.

great info, I wonder if @Iceman could take a look, he may have some insights.

Alternatively , this may have been asked and answered on the RFID Discord.

Are you a member?
If not, heres an invite

pref show
or did you enable hw dbg?

Since normally you shouldn’t see some of those message.

he means run pref show as a command and post the output here :slight_smile:

Yes, sorry for being unclear, old habit to ask for output from misc pm3 commands.

I see that the debug was some extra statements user added themself.

So, I don’t have a new Pm3 easy or an older either. I have SE, rdv1,2,4, and a bunch of older gear. However I never use them.

I heard that new Pm3 Easy have external flash mem, so when it comes models there are some recent/never ones that we don’t know of the hardware specs and is unclear if it works or not. If you bought your pm3 easy from DT, then it should work since I know Amal does his QC quite well before shipping.

If you bought it from random site, I would suggest RMA at this time.

3 Likes