HydraFW HydraNFC v1 guide

HydraNFC v1 must be plugged on the front side of HydraBus! (PowerOff the HydraBus before to plug HydraNFC)

HydraNFC Shield v1 is now superseded by HydraNFC Shield v2 in an other fork see https://github.com/hydrabus/hydrafw_hydranfc_shield_v2

This guide is updated towards firmware release HydraFW v0.8 Beta: HydraFW (HydraBus) v0.8-beta-0-ga2aab9d 2016-10-13

Read UID of an ISO/IEC_14443 Tag (Only Type A, 4 or 7Bytes UID)

• Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
• Example to read Mifare UID type following commands:

NFC> typea
NFC> scan
ATQA: 04 00
UID:  CD 81 5F 76 (BCC 65 ok)
SAK:  08

You can also define options for scan like continuous mode and its period (in millisecond) (default period is 1000ms).

To stop a scan continuous just press UBTN.

Read UID and data of a MIFARE Ultralight Tag

• Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
• Example to read MIFARE Ultralight UID + 64bytes data, type following commands:

NFC> typea
NFC> scan
ATQA: 44 00
SAK1: 04
SAK2: 00
UID: 04 1F 6E FA 2E 31 83
DATA:
 04 1F 6E FD FA 2E 31 83 66 48 00 00 E1 10 06 00
 03 11 D1 01 0D 55 01 68 79 64 72 61 62 75 73 2E
 63 6F 6D FE 20 62 79 20 53 74 6F 6C 6C 6D 61 6E
 6E FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA UID: 04 1F 6E FA 2E 31 83
 (DATA BCC0 FD ok)
 (DATA BCC1 66 ok)

• Example to read MIFARE Ultralight and save it to microSD, type following commands:

NFC> read-mf-ul mf-ul-64bytes-data.mfd
ATQA: 44 00
SAK1: 04
SAK2: 00
UID: 04 1F 6E FA 2E 31 83
DATA:
 04 1F 6E FD FA 2E 31 83 66 48 00 00 E1 10 06 00
 03 11 D1 01 0D 55 01 68 79 64 72 61 62 75 73 2E
 63 6F 6D FE 20 62 79 20 53 74 6F 6C 6C 6D 61 6E
 6E FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA UID: 04 1F 6E FA 2E 31 83
 (DATA BCC0 FD ok)
 (DATA BCC1 66 ok)
write file 0:mf-ul-64bytes-data.mfd with success

In this example the file mf-ul-64bytes-data.mfd is created in root directory of microSD card, the file contains all data read from the tag, it is a full dump compatible/same as Libnfc Mifare Dump(but for MIFARE Ultralight)

Read UID of an ISO/IEC 15693 Tag

• Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
• Example to read Vicinity UID type following commands:

NFC> vicinity
NFC> scan
UID: 0x00 0x00 0x6A 0x15 0x3A 0x18 0x00 0x00 0x07 0xE0

You can also define options for scan like continuous mode and its period (in millisecond) (default period is 1000ms).

To stop a scan continuous just press UBTN.

Emul ISO 14443A Tag UID (Alpha version)

• Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
• Example to emulate ISO 14443A tag UID type following commands:

NFC> emul-3a
NFC Tag Emulation UID SDD started
Press user button(UBTN) to stop.

Launch an other shell with a NFC dongle reader like SCM Micro / SCL3711-NFC&RW:

• nfc-anticol.exe used in this example is a tool part of libnfc 1.7.1
• HydraNFC Antenna is on top of SCM Micro / SCL3711-NFC reader

nfc-anticol.exe -t
NFC reader: SCM Micro / SCL3711-NFC&RW opened

Sent bits:     26 (7 bits)
Response after 1176 cycles
Received bits: 04  00
Sent bits:     93  20
Response after 1176 cycles
Received bits: cd  81  5f  76  65
Sent bits:     93  70  cd  81  5f  76  65  d1  86
Response after 1176 cycles
Received bits: 20  fc  70
Sent bits:     e0  50  bc  a5
Received bits:
Sent bits:     50  00  57  cd
Received bits:

Found tag with
 UID: cd815f76
ATQA: 0004
 SAK: 20

Emul MIFARE Ultralight Tag (Alpha version)

• Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
• Example to emulate MIFARE Ultralight tag (previously read using read-mf-ul mf-ul-64bytes-data.mfd) type following commands:

NFC> emul-mf-ul filename mf-ul-64bytes-data.mfd
DATA:
 04 1F 6E FD FA 2E 31 83 66 48 00 00 E1 10 06 00
 03 11 D1 01 0D 55 01 68 79 64 72 61 62 75 73 2E
 63 6F 6D FE 20 62 79 20 53 74 6F 6C 6C 6D 61 6E
 6E FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DATA UID: 04 1F 6E FA 2E 31
 (DATA BCC0 FD ok)
 (DATA BCC1 66 ok)
NFC Emulation Mifare Ultralight started
7Bytes UID: 04 1F 6E FA 2E 31 83
ATQA: 44 00
SAK1: 04
SAK2: 00
Press user button(UBTN) to stop.

Launch an other shell with a NFC dongle reader like SCM Micro / SCL3711-NFC&RW:

• nfc-mfultralight.exe used in this example is a tool part of libnfc 1.7.1
• HydraNFC Antenna is on top of SCM Micro / SCL3711-NFC reader

>nfc-mfultralight.exe r dump.mfd
NFC device: SCM Micro / SCL3711-NFC&RW opened
Found MIFARE Ultralight card with UID: 041f6efa2e3183
Reading 16 pages ||
Done, 0 of 16 pages readed.

As this feature is alpha and need a rewrite see https://github.com/bvernoux/hydrafw/issues/43, data cannot be read accurately/correctly today(because of timing problem in emulation...) with reader like SCM Micro / SCL3711-NFC&RW. It is mainly for POC.

Emul Mifare Classic Tag UID (Alpha version/Does not support Crypto)

• Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
• Example to emulate Mifare One tag UID type following commands:

NFC> emul-mifare
NFC Emulation Mifare One UID started
Press user button(UBTN) to stop.

Launch an other shell with a NFC dongle reader like SCM Micro / SCL3711-NFC&RW:

• nfc-anticol.exe used in this example is a tool part of libnfc 1.7.1
• HydraNFC Antenna is on top of SCM Micro / SCL3711-NFC reader

>nfc-anticol.exe -t
NFC reader: SCM Micro / SCL3711-NFC&RW opened

Sent bits:     26 (7 bits)
Response after 1160 cycles
Received bits: 04  00
Sent bits:     93  20
Response after 1156 cycles
Received bits: cd  81  5f  76  65
Sent bits:     93  70  cd  81  5f  76  65  d1  86
Response after 1152 cycles
Received bits: 08  b6  dd
Sent bits:     50  00  57  cd
Received bits:

Found tag with
 UID: cd815f76
ATQA: 0004
 SAK: 08

Note: Timing can be adjusted to be compliant as expected Response after shall be 1172 cycles.

Unique NFC sniffer design (support only ISO14443A @106kbit/s)

HydraNFC firmware called HydraFW (requires HydraBus) can sniff ISO14443A PICC and PCD both sides in real-time without any loss (with an ultra optimized synchronization, LUT and asm optimization and of course with the help of TI TRF7970A special raw mode with data sampled @3.39MHz using SPI slave with DMA circular buffer).

The whole process take less than 1µs with code execution from flash memory (checked with oscilloscope worst case):

1. NFC RX stream synchronization (by counting leading zero or reverse using ASM trick CLZ)
2. Downsampling by 4 + filtering of raw data

• 32bits IN (@3.39MHz) => 8bits OUT (848KHz)

3. Detection of protocol

• Miller Modified PCD (Card Reader)
• Manchester PICC (Tag)

4. Conversion of final decoded data

• Choose the corresponding Look-Up Table for PICC or PCD
• 8bits IN (848KHz) => 1bit OUT (106KHz) in ASCII hex stored in SRAM with same syntax as proxmark.
• The NFC sniffer can be programmed also to decode and reply in real-time.

So there is room to decode/encode any protocol at up to 1MHz (when NFC is limited to 848KHz).

Advantage is also GPIO of STM32F4 can exceed 80MHz, so it is also possible to encode anything at 13.56MHz (limited by NFC) and define/create custom NFC encoder/decoder.

Launch NFC sniffer from console (support only ISO14443A @106kbit/s)

• Using console type nfc sniff + Enter (or pressing & releasing HydraNFC K3 button to start the sniffer, sniff ISO14443A)
• Stop the sniffer by pressing & releasing HydraNFC K4 button
  • All sniffed data are displayed in console
  • If a MicroSD is present, it will automatically save the trace in a txt file when sniffer is stopped (K4 is pressed & released).

Sniffer ISO14443A wireshark pcap (support only ISO14443A @106kbit/s)

HydraFW support officially sniffer with pcap output since https://github.com/hydrabus/hydrafw/pull/109 commit https://github.com/Baldanos/hydrafw/commit/51ca6636dfc04580519e421dbfbfae975956bdda and so it is integrated in HydraFW v0.10 or more

1. The hardware:

• 1 HydraBus
• 1 HydraNFC (with NFC Antenna included)
• 1 MicroSD card (formatted FAT16 or FAT32 up to 32GB)
  • Can be formatted using HydraBus and command sd erase or using Linux/Windows..

2. Flash official hydrafw firmware 0.10 or more (see https://github.com/bvernoux/hydrafw/releases)

3. Start/Stop the Sniffer:

   • Power the board
   • Start NFC sniffer with pcap option with console
     • nfc
     • sniff pcap
   • Place the HydraNFC Antenna between the TAG & the Reader.
     • Depending on Tag/Reader, the HydraNFC Antenna shall be not to close to the Tag/Reader and you can add a Corrugated fiberboard between Tag/Reader & HydraNFC Antenna.
   • When you have sniffed enough data stop it by pressing & releasing HydraNFC K4 button (it save data in microSD and green LED blink quickly if all is ok).

4. Read/Analyze sniffed data:

   • With PC microSD reader:
     • Power Off the board extract the microSD and read it with your computer/tablet...
     • Copy the file nfc_sniff_x.pcap (x is a number from 0 to n which is incremented each time a new pcap file is created) to your PC

5. Configure Wireshark with lua dissector and open the pcap

   • The wireshark lua dissector with documentation is available here https://github.com/NicoHub/Wireshark-RFID-dissector

Autonomous/stand-alone sniffer mode (support only ISO14443A @106kbit/s)

1. The hardware:

• 1 HydraBus
• 1 HydraNFC (with NFC Antenna included)
• 1 MicroSD card (formatted FAT16 or FAT32 up to 32GB)
  • Can be formatted using HydraBus and command sd erase or using Linux/Windows..
• 1 Power Bank connected on HydraBus Micro USB1 or 2 to power hydrabus+hydranfc boards.

2. Flash official hydrafw firmware 0.4 Beta 55 or more (see https://github.com/bvernoux/hydrafw/releases)

3. Start/Stop the Sniffer:

   • Power the board
   • Start NFC sniffer by pressing & releasing HydraNFC K3 button or HydraBus UBTN button
   • Place the HydraNFC Antenna between the TAG & the Reader.
     • Depending on Tag/Reader, the HydraNFC Antenna shall be not to close to the Tag/Reader and you can add a Corrugated fiberboard between Tag/Reader & HydraNFC Antenna.
   • When you have sniffed enough data stop it by pressing & releasing HydraNFC K4 button (it save data in microSD and green LED blink quickly if all is ok).

4. Read/Analyze sniffed data:

   • With PC microSD reader:

     • Power Off the board extract the microSD and read it with your computer/tablet...

   • With HydraBus:

     • Connect HydraBus to PC and start VT100 Terminal(like putty) using USB Serial COM and use sd commands (sd ls, sd cat myfile.txt ...)

   • Files are created in root of the microsd and are text files with similar format as proxmark (except there's no ! for parity) (saved in a txt file with an incremented number each time)

Sniffer ISO14443A with unique hard real-time infinite trace mode (support only ISO14443A @106kbit/s)

1) Hardware required

• 1 PC (Windows or Linux) with up to 3 USB port available (or a USB 2.0 HS Hub).

  • 1 USB port for HydraBus/hydrafw console to configure the sniffer
  • 1 USB port shall be USB 2.0 HighSpeed for the FTDI interface C232HM-DDHSL-0
  • 1 USB port for NFC reader SCL3711 (or equivalent NFC reader can be also an android phone not connected to PC...)

• 1 NFC reader like SCL3711, android phone(which can read NFC tags)...

• 1 HydraBus with at least HydraFW v0.8 Beta

• 1 HydraNFC (with NFC Antenna included)

• 1 FTDI interface C232HM-DDHSL-0

  • UART FTDI C232HM-DDHSL-0 to HydraBus connection:

    C232HM-DDHSL-0 Pin	HydraBus Pin
    Yellow ADBUS1 RX	PA9 / USART1_TX
    Black GND	GND (near PA9)

  

2) PC software required

• libnfc tools (working with the NFC reader mainly to generate some traffic read tag ...)

  • Can be also done with any NFC reader like android phone with application to read tags ...

• Putty or other VT100 serial(USB CDC) terminal to configure the sniffer

• hydratool to retrieve and decode the sniffed data from HydraBus/HydraNFC(@8.4Megabauds 8N1) in real-time.

  

3) Setup Hardware & PC Software

3-1) Check you have latest HydraBus firmware flashed (or at least HydraFW v0.8 Beta)

• Check the HydraBus+HydraNFC work fine by reading a tag for example and sniffing an exchange to be sure all work fine.
• Connect to HydraBus USB (not the FTDI USB) and use command like nfc sniff bin frame-time
  • You can also use hydratool and click on the Terminal icon(toolTip display 2nd Terminal) and select the HydraBus COM port and Apply then enter the command nfc sniff bin frame-time
  • Now the HydraBus is in HydraNFC sniffer mode and any NFC Type A activity is captured in real-time and transmitted over FTDI UART to USB @8.4Mbauds
  • Note: Using FTDI interface C232HM-DDHSL-0 @8.4Mbauds is experimental and can be unreliable/not working with some FTDI interface C232HM-DDHSL-0 because FTDI C232HM-DDHSL-0 Baudrate in theory is limited to 6MBauds and when using 8.4MBaud (Frequency variation between 7.7MHz to 8.5MHz) with DutyCycle is 46.4% / 53.6% or the reverse so up to +/-3.6% error/variation but still works with HydraBus configured @8.4MBauds.
  • For more details see the tests done https://github.com/hydrabus/hydrafw/issues/112#issuecomment-579937105

3-2) Configure the serial port in hydratool

• In main Window called "HydraNFC real-time sniffer" press settings icon to configure the COM port linked to the FTDI interface C232HM-DDHSL-0 connected to your PC
  • Under Select Serial Port when you click on Combo Box you shall see available COM port else click on Refresh button to refresh them
• Set BaudRate Combo Box to FTDI 8.4M and click on Apply

3-3) Use the sniffer with HydraBus/HydraNFC

• If you present an active NFC Type A reader (with Tag if you want to sniff both way) on HydraNFC Antenna you shall see some decoded data displayed in "HydraNFC real-time sniffer" main window

• See setup and results obtained here using an old version of hydratool 13Oct2016_live_sniff_mf_classic.md