PM3 Wiki

User Tools

Site Tools

Trace:
cvend

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
cvend [2026/01/17 09:51] – created shelvacucvend [2026/01/28 00:26] (current) – Add title asb
Line 1: Line 1:
 +====== cVEND NFC Reader ======
 +
 +
 cVEND is the NFC reader on the bottom half of the PM3 cVEND is the NFC reader on the bottom half of the PM3
  
-There are two connections, one carries 5V power and the other carries serial (todoUARTRS232?)+{{ :cvend_plug.pdf |}} 
 + 
 +The associated serial device appears to be at /dev/ttymxc3 in Linux. 
 + 
 + 
 +===== cVEND protocol notes ===== 
 + 
 + 
 +==== Reader -> Host ==== 
 + 
 +packet type 0xED seems to be a log message: 
 +  \xBC\xB9\0\xED\0h\xB6\x0306:48:13 Error: feclr_transceive() failed: error: 0, status0x00000008  
 + 
 +0xB9 - card read? 
 + 
 +==== Host -> reader ==== 
 +0xBC - appears after every read (ack of some sort?) 
 + 
 + 
 +==== Card read flow ==== 
 +  R: BCB600B9000BBB0C000000048A6EF29B149079CB8CF0 
 +  H: BC2200BC000158602A714F60 
 +  R: BCB722BD001E3D00000401013300160504010103001605048A6EF29B149020487330305022C98C7E9B 
 +  H: BC2300BC0004AA5A2BC3F911A8A56A 
 +  R: BCB823BD0002E301FDE0523164 
 + 
 + 
 +Another one: 
 +  R:  BCBF00B9000B480C000000048A6EF29B149079CB8CF0 
 +  H:  BC2400BC0001C4602A714F60 
 +  R:  BCC024BD001E0800000401013300160504010103001605048A6EF29B149020487330305022C98C7E9B 
 +  H:  BC2500BC0004365A2BC3F911A8A56A 
 +  R:  BCC125BD00027401FDE0523164 
 +   
 +   
 +Sample log message: 
 +  BCB000ED0068450330363A34383A3038204572726F723A206665636C725F7472616E7363656976652829206661696C65643A206572726F723A20302C207374617475733A2030783030303030303038200A205B524649445265616465724D756C74694170702E6370703A3135395D0002CD1533BCB100ED0046B40130363A34383A3038207472616E7363656976652065 
 + 
 + 
 +  00000000  bc b0 00 ed 00 68 45 03 30 36 3a 34 38 3a 30 38  |¼°.í.hE.06:48:08| 
 +  00000010  20 45 72 72 6f 72 3a 20 66 65 63 6c 72 5f 74 72  | Error: feclr_tr| 
 +  00000020  61 6e 73 63 65 69 76 65 28 29 20 66 61 69 6c 65  |ansceive() faile| 
 +  00000030  64 3a 20 65 72 72 6f 72 3a 20 30 2c 20 73 74 61  |d: error: 0, sta| 
 +  00000040  74 75 73 3a 20 30 78 30 30 30 30 30 30 30 38 20  |tus: 0x00000008 | 
 +  00000050  0a 20 5b 52 46 49 44 52 65 61 64 65 72 4d 75 6c  |. [RFIDReaderMul| 
 +  00000060  74 69 41 70 70 2e 63 70 70 3a 31 35 39 5d 00 02  |tiApp.cpp:159]..| 
 +  00000070  cd 15 33 bc b1 00 ed 00 46 b4 01 30 36 3a 34 38  |Í.3¼±.í.F´.06:48| 
 +  00000080  3a 30 38 20 74 72 61 6e 73 63 65 69 76 65 20 65  |:08 transceive e| 
 +   
 +   
 +   
 +There are 4 bytes appended at the end of some messages (presumably those with ID LSB=1, if the Rust struct description is accurate?) which is not a CRC32 with any polynomial I recognize, but a CRC32 of (message + CRC) is always 0xFFFFFFFF. These 4 bytes are NOT included in the length. 
 + 
 +The checksum is _appended_, as can be seen by it following the log message (after the final \0). 
 + 
 +is it a _little endian_, _bit negated_ CRC32. Which is weird because the length is big endian?..
  
  
 +* Host only sends two types of messages after initialization - both of type 0xBC. One is length 1 and the body is always 0x60 (+ negated CRC 2A714F60), the other is of length 4 and the body is always 5A2BC3F9 (+ negated-CRC 11A8A56A)
cvend.1768643471.txt.gz · Last modified: by shelvacu