[proxmark3-svn] / README.txt

INTRO:

This file contains enough software, logic (for the FPGA), and design
documentation for the hardware that you could, at least in theory,
do something useful with a proxmark3. It has commands to:

    * read any kind of 125 kHz unidirectional tag
    * simulate any kind of 125 kHz unidirectional tag

(This is enough to perform all of the silly cloning attacks, like the
ones that I did at the Capitol in Sacramento, or anything involving
a Verichip. From a technical standpoint, these are not that exciting,
although the `software radio' architecture of the proxmark3 makes it
easy and fun to support new formats.)

As a bonus, I include some code to use the 13.56 MHz hardware, so you can:

    * do anything that a (medium-range) ISO 15693 reader could
    * read an ISO 14443 tag, if you know the higher-layer protocol
    * pretend to be an ISO 14443 tag, if you know the higher-layer protocol
    * snoop on an ISO 14443 transaction

I am not actively developing any of this. I have other projects that
seem to be more useful.

USING THE PACKAGE:

The software tools required to build include:

    * cygwin or other unix-like tools for Windows
    * devkitPro (http://wiki.devkitpro.org/index.php/Getting_Started/devkitARM)
    * Xilinx's WebPack tools
    * Modelsim (for test only)
    * perl

When installing devkitPro, you only need to install the compiler itself. Additional
support libraries are  not required.

Documentation is minimal, but see the doc/ directory for what exists. A
previous familiarity with the ARM, with digital signal processing,
and with embedded programming in general is assumed.

The device is used through a specialized command line interface; for
example, to clone a Verichip, you might type:

    loread                          ; this reads the tag, and stores the
                                    ; raw samples in memory on the ARM

    losamples                       ; then we download the samples to
                                    ; the PC

    vchdemod clone                  ; demodulate the ID, and then put it
                                    ; back in a format that we can replay

    losim                           ; and then replay it

To read an ISO 15693 tag, you might type:

    hiread                          ; read the tag; this involves sending a
                                    ; particular command, and then getting
                                    ; the response (which is stored as raw
                                    ; samples in memory on the ARM)

    hisamples                       ; then download those samples to the PC

    hi15demod                       ; and demod them to bits (and check the
                                    ; CRC etc. at the same time)

Notice that in both cases the signal processing mostly happened on the PC
side; that is of course not practical for a real reader, but it is easier
to initially write your code and debug on the PC side than on the ARM. As
long as you use integer math (and I do), it's trivial to port it over
when you're done.

The USB driver and bootloader are documented (and available separately
for download, if you wish to use them in another project) at

    http://cq.cx/trivia.pl


OBTAINING HARDWARE:

Most of the ultra-low-volume contract assemblers that have sprung up
(Screaming Circuits, the various cheap Asian suppliers, etc.) could put
something like this together with a reasonable yield. A run of around
a dozen units is probably cost-effective. The BOM includes (possibly-
outdated) component pricing, and everything is available from Digikey
and the usual distributors.

If you've never assembled a modern circuit board by hand, then this is
not a good place to start. Some of the components (e.g. the crystals)
must not be assembled with a soldering iron, and require hot air.

The schematics are included; the component values given are not
necessarily correct for all situations, but it should be possible to do
nearly anything you would want with appropriate population options.

The printed circuit board artwork is also available, as Gerbers and an
Excellon drill file.


FUTURE PLANS, ENHANCEMENTS THAT YOU COULD MAKE:

At some point I should write software involving a proper real-time
operating system for the ARM. I would then provide interrupt-driven
drivers for many of the peripherals that are polled now (the USB,
the data stream from the FPGA), which would make it easier to develop
complex applications.

It would not be all that hard to implement the ISO 15693 reader properly
(with anticollision, all the commands supported, and so on)--the signal
processing is already written, so it is all straightforward applications
work.

I have basic support for ISO 14443 as well: a sniffer, a simulated
tag, and a reader. It won't do anything useful unless you fill in the
high-layer protocol.

Nicer (i.e., closer-to-optimal) implementations of all kinds of signal
processing would be useful as well.

A practical implementation of the learning-the-tag's-ID-from-what-the-
reader-broadcasts-during-anticollision attacks would be relatively
straightforward. This would involve some signal processing on the FPGA,
but not much else after that.

It would be neat to write a driver that could stream samples from the A/Ds
over USB to the PC, using the full available bandwidth of USB. I am not
yet sure what that would be good for, but surely something. This would
require a kernel-mode driver under Windows, though, which is more work.


LICENSING:

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA


Jonathan Westhues
user jwesthues, at host cq.cx

May 2007, Cambridge MA
Commit	Line	Data
770f7345	1	INTRO:
	2
	3	This file contains enough software, logic (for the FPGA), and design
	4	documentation for the hardware that you could, at least in theory,
	5	do something useful with a proxmark3. It has commands to:
	6
	7	* read any kind of 125 kHz unidirectional tag
	8	* simulate any kind of 125 kHz unidirectional tag
	9
	10	(This is enough to perform all of the silly cloning attacks, like the
	11	ones that I did at the Capitol in Sacramento, or anything involving
	12	a Verichip. From a technical standpoint, these are not that exciting,
	13	although the `software radio' architecture of the proxmark3 makes it
	14	easy and fun to support new formats.)
	15
	16	As a bonus, I include some code to use the 13.56 MHz hardware, so you can:
	17
	18	* do anything that a (medium-range) ISO 15693 reader could
	19	* read an ISO 14443 tag, if you know the higher-layer protocol
	20	* pretend to be an ISO 14443 tag, if you know the higher-layer protocol
	21	* snoop on an ISO 14443 transaction
	22
	23	I am not actively developing any of this. I have other projects that
	24	seem to be more useful.
	25
	26	USING THE PACKAGE:
	27
	28	The software tools required to build include:
	29
	30	* cygwin or other unix-like tools for Windows
	31	* devkitPro (http://wiki.devkitpro.org/index.php/Getting_Started/devkitARM)
	32	* Xilinx's WebPack tools
	33	* Modelsim (for test only)
	34	* perl
	35
	36	When installing devkitPro, you only need to install the compiler itself. Additional
	37	support libraries are not required.
	38
	39	Documentation is minimal, but see the doc/ directory for what exists. A
	40	previous familiarity with the ARM, with digital signal processing,
	41	and with embedded programming in general is assumed.
	42
	43	The device is used through a specialized command line interface; for
	44	example, to clone a Verichip, you might type:
	45
	46	loread ; this reads the tag, and stores the
	47	; raw samples in memory on the ARM
	48
	49	losamples ; then we download the samples to
	50	; the PC
	51
	52	vchdemod clone ; demodulate the ID, and then put it
	53	; back in a format that we can replay
	54
	55	losim ; and then replay it
	56
	57	To read an ISO 15693 tag, you might type:
	58
	59	hiread ; read the tag; this involves sending a
	60	; particular command, and then getting
	61	; the response (which is stored as raw
	62	; samples in memory on the ARM)
	63
	64	hisamples ; then download those samples to the PC
65
66	hi15demod ; and demod them to bits (and check the
67	; CRC etc. at the same time)
68
69	Notice that in both cases the signal processing mostly happened on the PC
70	side; that is of course not practical for a real reader, but it is easier
71	to initially write your code and debug on the PC side than on the ARM. As
72	long as you use integer math (and I do), it's trivial to port it over
73	when you're done.
74
75	The USB driver and bootloader are documented (and available separately
76	for download, if you wish to use them in another project) at
77
78	http://cq.cx/trivia.pl
79
80
81	OBTAINING HARDWARE:
82
83	Most of the ultra-low-volume contract assemblers that have sprung up
84	(Screaming Circuits, the various cheap Asian suppliers, etc.) could put
85	something like this together with a reasonable yield. A run of around
86	a dozen units is probably cost-effective. The BOM includes (possibly-
87	outdated) component pricing, and everything is available from Digikey
88	and the usual distributors.
89
90	If you've never assembled a modern circuit board by hand, then this is
91	not a good place to start. Some of the components (e.g. the crystals)
92	must not be assembled with a soldering iron, and require hot air.
93
94	The schematics are included; the component values given are not
95	necessarily correct for all situations, but it should be possible to do
96	nearly anything you would want with appropriate population options.
97
98	The printed circuit board artwork is also available, as Gerbers and an
99	Excellon drill file.
100
101
102	FUTURE PLANS, ENHANCEMENTS THAT YOU COULD MAKE:
103
104	At some point I should write software involving a proper real-time
105	operating system for the ARM. I would then provide interrupt-driven
106	drivers for many of the peripherals that are polled now (the USB,
107	the data stream from the FPGA), which would make it easier to develop
108	complex applications.
109
110	It would not be all that hard to implement the ISO 15693 reader properly
111	(with anticollision, all the commands supported, and so on)--the signal
112	processing is already written, so it is all straightforward applications
113	work.
114
115	I have basic support for ISO 14443 as well: a sniffer, a simulated
116	tag, and a reader. It won't do anything useful unless you fill in the
117	high-layer protocol.
118
119	Nicer (i.e., closer-to-optimal) implementations of all kinds of signal
120	processing would be useful as well.
121
122	A practical implementation of the learning-the-tag's-ID-from-what-the-
123	reader-broadcasts-during-anticollision attacks would be relatively
124	straightforward. This would involve some signal processing on the FPGA,
125	but not much else after that.
126
127	It would be neat to write a driver that could stream samples from the A/Ds
128	over USB to the PC, using the full available bandwidth of USB. I am not
129	yet sure what that would be good for, but surely something. This would
130	require a kernel-mode driver under Windows, though, which is more work.
131
132
133	LICENSING:
134
135	This program is free software; you can redistribute it and/or modify
136	it under the terms of the GNU General Public License as published by
137	the Free Software Foundation; either version 2 of the License, or
138	(at your option) any later version.
139
140	This program is distributed in the hope that it will be useful,
141	but WITHOUT ANY WARRANTY; without even the implied warranty of
142	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
143	GNU General Public License for more details.
144
145	You should have received a copy of the GNU General Public License
146	along with this program; if not, write to the Free Software
147	Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
148
149
150	Jonathan Westhues
151	user jwesthues, at host cq.cx
152
153	May 2007, Cambridge MA
154