Proxmark3 locks up when running hf mf sim #2836
Description
Description
When using the hf mf eload command to load a MIFARE dump into the emulator’s memory and then running hf mf sim to simulate the card, the operation succeeds roughly 1 in 10 times (i.e. the door opens once), but on the other attempts the Proxmark3 becomes unresponsive (All 4 LEDs flash chaotically) until it is power-cycled. Cloning and reading workflows function correctly; only the load + simulate sequence is affected.
Steps to Reproduce
- Connect the Proxmark3 Easy 512 K to macOS 15.4.1 via USB.
- In the
pm3client, load a previously captured dump into the emulator:[usb|script] pm3 --> hf mf eload -f hf-mf-XXXXXXXX-dump.bin [=] Upload 64 blocks 1024 bytes [+] Loaded 1024 bytes from binary file hf-mf-XXXXXXXX-dump.bin [=] Uploading to emulator memory [=] .... [?] Hint: You are ready to simulate. See hf mf sim -h [=] Done! - Attempt to simulate the card:
[usb|script] pm3 --> hf mf sim --1k -u XXXXXXXX -i [=] MIFARE 1K | 4 bytes UID XX XX XX XX [=] Options [ numreads: 0, flags: 81 (0x0051) ] [=] Press pm3 button or a key to abort simulation [#] Enforcing Mifare 1K ATQA/SAK [#] 4B UID: XXXXXXXX [#] ATQA : 00 04 [#] SAK : 08 [!] Communicating with Proxmark3 device failed - Observe that the Proxmark3 LEDs flash erratically and the client no longer responds.
- Reconnect the device’s power—after which the client becomes operational again, but the door lock never responds without a successful simulation.
Actual Behavior
- Only few attempts work.
- Most attempts fail with a communication error, and the Proxmark3 firmware appears to lock up (LEDs flash, no client interaction).
- A power-cycle is required to restore functionality.
Expected Behavior
- Every
hf mf eload→hf mf simcycle should reliably simulate the card in emulator mode without requiring a reset. - The Proxmark3 should remain responsive after a failed simulation, allowing immediate retry.
Environment
- OS: macOS 15.4.1 (aarch64)
- Proxmark3 Model: Easy 512 K
- hw output :
[usb] pm3 --> hw version
[ Proxmark3 ]
[ Client ]
Iceman/master/v4.20142-90-gb2983ba02-suspect 2025-05-01 12:09:42 fee7ca416
Compiler.................. Clang/LLVM Apple LLVM 17.0.0 (clang-1700.0.13.3)
Platform.................. OSX / aarch64
Readline support.......... present
QT GUI support............ absent
Native BT support......... absent
Python script support..... present ( 3.13.3 )
Python SWIG support....... present
Lua script support........ present ( 5.4.7 )
Lua SWIG support.......... present
[ Model ]
Firmware.................. PM3 GENERIC
[ ARM ]
Bootrom.... Iceman/master/v4.20142-90-gb2983ba02-suspect 2025-05-01 12:09:43 fee7ca416
OS......... Iceman/master/v4.20142-90-gb2983ba02-suspect 2025-05-01 12:09:43 fee7ca416
Compiler... GCC 13.3.1 20240614
[ FPGA ]
fpga_pm3_hf.ncd image 2s30vq100 24-04-2025 15:06:23
fpga_pm3_lf.ncd image 2s30vq100 24-04-2025 15:06:23
fpga_pm3_felica.ncd image 2s30vq100 24-04-2025 15:06:23
fpga_pm3_hf_15.ncd image 2s30vq100 24-04-2025 15:06:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Internal SRAM size: 64K bytes
--= Architecture identifier: AT91SAM7Sxx Series
--= Embedded flash memory 512K bytes ( 67% used )
[usb] pm3 --> hw tune
[=] -------- Reminder ----------------------------
[=] `hw tune` doesn't actively tune your antennas.
[=] It's only informative.
[=] Measuring antenna characteristics...
🕛 9
[=] -------- LF Antenna ----------
[+] 125.00 kHz ........... 25.71 V
[+] 134.83 kHz ........... 17.85 V
[+] 121.21 kHz optimal.... 26.36 V
[+]
[+] Approx. Q factor measurement
[+] Frequency bandwidth... 6.3
[+] Peak voltage.......... 7.7
[+] LF antenna............ ok
[=] -------- HF Antenna ----------
[+] 13.56 MHz............. 16.05 V
[+]
[+] Approx. Q factor measurement
[+] Peak voltage.......... 4.7
[+] HF antenna ( ok )
[=] -------- LF tuning graph ------------
[+] Orange line - divisor 95 / 125.00 kHz
[+] Blue line - divisor 88 / 134.83 kHz
No GUI in this build!
[=] Q factor must be measured without tag on the antenna
[usb] pm3 --> hw status
[#] Memory
[#] BigBuf_size............. 40120
[#] Available memory........ 40120
[#] Tracing
[#] tracing ................ 1
[#] traceLen ............... 0
[#] Current FPGA image
[#] mode.................... fpga_pm3_hf.ncd image 2s30vq100 24-04-2025 15:06:23
[#] LF Sampling config
[#] [q] divisor............. 95 ( 125.00 kHz )
[#] [b] bits per sample..... 8
[#] [d] decimation.......... 1
[#] [a] averaging........... yes
[#] [t] trigger threshold... 0
[#] [s] samples to skip..... 0
[#]
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) | 31 | 20 | 18 | 50 | 15 | n/a | n/a |
[#] long leading reference | 31 | 20 | 18 | 50 | 15 | n/a | n/a |
[#] leading zero | 31 | 20 | 18 | 40 | 15 | n/a | n/a |
[#] 1 of 4 coding reference | 31 | 20 | 18 | 34 | 15 | 50 | 66 |
[#]
[#] HF 14a config
[#] [a] Anticol override.............. std ( follow standard )
[#] [b] BCC override.................. std ( follow standard )
[#] [2] CL2 override.................. std ( follow standard )
[#] [3] CL3 override.................. std ( follow standard )
[#] [r] RATS override................. std ( follow standard )
[#] [m] Magsafe polling............... disabled
[#] [p] Polling loop annotation....... disabled 00000000000000000000000000000000
[#] Transfer Speed
[#] Sending packets to client...
[#] Time elapsed................... 500ms
[#] Bytes transferred.............. 376320
[#] Transfer Speed PM3 -> Client... 752640 bytes/s
[#] Various
[#] Max stack usage......... 3520 / 8480 bytes
[#] Debug log level......... 1 ( error )
[#] ToSendMax............... -1
[#] ToSend BUFFERSIZE....... 2308
[#] Slow clock.............. 32241 Hz
[#] Installed StandAlone Mode
[#] LF HID26 standalone - aka SamyRun (Samy Kamkar)