HydraFW HydraNFC guide

HydraNFC must be plugged on the front side of HydraBus! (PowerOff the HydraBus before to plug HydraNFC)

This guide is updated towards firmware release HydraFW v0.5 Beta: HydraFW (HydraBus) v0.5-beta-0-gc0bc1f0 2015-02-11

#Read UID of an ISO/IEC_14443 Tag (Only Type A, limited to 4Bytes UID)

• Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
• Example to read Mifare UID type following commands:

NFC> mifare
NFC> scan
ATQA: 04 00
UID:  CD 81 5F 76 (BCC 65 ok)
SAK:  08

You can also define options for scan like continuous mode and its period (in millisecond) (default period is 1000ms).

To stop a scan continuous just press UBTN.

#Read UID of an ISO/IEC 15693 Tag

• Using console type nfc + Enter to enter NFC mode dedicated to HydraNFC.
• Example to read Vicinity UID type following commands:

NFC> vicinity
NFC> scan
UID: 0x00 0x00 0x6A 0x15 0x3A 0x18 0x00 0x00 0x07 0xE0

You can also define options for scan like continuous mode and its period (in millisecond) (default period is 1000ms).

To stop a scan continuous just press UBTN.

#Unique NFC sniffer design

HydraNFC firmware called HydraFW (requires HydraBus) can sniff ISO14443A PICC and PCD both sides in real-time without any loss (with an ultra optimized synchronization, LUT and asm optimization and of course with the help of TI TRF7970A special raw mode with data sampled @3.39MHz using SPI slave with DMA circular buffer).

The whole process take less than 1µs with code execution from flash memory (checked with oscilloscope worst case):

1. NFC RX stream synchronization (by counting leading zero or reverse)
2. Downsampling by 4 + filtering of raw data

• 32bits IN (@3.39MHz) => 8bits OUT (848KHz)

1. Detection of protocol

• Miller Modified PCD (Card Reader)
• Manchester PICC (Tag)

1. Conversion of final decoded data

• Choose the corresponding Look-Up Table for PICC or PCD
• 8bits IN (848KHz) => 1bit OUT (106KHz) in ASCII hex stored in SRAM with same syntax as proxmark.
• The NFC sniffer can be programmed also to decode and reply in real-time.

So there is room to decode/encode any protocol at up to 1MHz (when NFC is limited to 848KHz).

Advantage is also GPIO of STM32F4 can exceed 80MHz, so it is also possible to encode anything at 13.56MHz (limited by NFC) and define/create custom NFC encoder/decoder.

#Launch NFC sniffer from console

• Using console type nfc sniff + Enter (or pressing & releasing HydraNFC K3 button to start the sniffer, sniff ISO14443A)
• Stop the sniffer by pressing & releasing HydraNFC K4 button
  • All sniffed data are displayed in console
  • If a MicroSD is present, it will automatically save the trace in a txt file when sniffer is stopped (K4 is pressed & released).

#Autonomous/stand-alone sniffer mode

1. The hardware:

• 1 HydraBus
• 1 HydraNFC (with NFC Antenna included)
• 1 MicroSD card (formatted FAT16 or FAT32 up to 32GB)
  • Can be formatted using HydraBus and command sd erase or using Linux/Windows..
• 1 Power Bank connected on HydraBus Micro USB1 or 2 to power hydrabus+hydranfc boards.

2. Flash official hydrafw firmware 0.4 Beta 55 or more (see https://github.com/bvernoux/hydrafw/releases)

3. Start/Stop the Sniffer:

   • Power the board
   • Start NFC sniffer by pressing & releasing HydraNFC K3 button
   • Place the HydraNFC Antenna between the TAG & the Reader.
   • When you have sniffed enough data stop it by pressing & releasing HydraNFC K4 button (it save data in microSD and green LED blink quickly if all is ok).

4. Read/Analyze sniffed data:

   • With PC microSD reader:

     • Power Off the board extract the microSD and read it with your computer/tablet...

   • With HydraBus:

     • Connect HydraBus to PC and start VT100 Terminal(like putty) using USB Serial COM and use sd commands (sd ls, sd cat myfile.txt ...)

   • Files are created in root of the microsd and are text files with similar format as proxmark (except there's no ! for parity) (saved in a txt file with an incremented number each time)