]>
Commit | Line | Data |
---|---|---|
6658905f | 1 | INTRO:\r |
2 | \r | |
3 | This file contains enough software, logic (for the FPGA), and design\r | |
4 | documentation for the hardware that you could, at least in theory,\r | |
5 | do something useful with a proxmark3. It has commands to:\r | |
6 | \r | |
7 | * read any kind of 125 kHz unidirectional tag\r | |
8 | * simulate any kind of 125 kHz unidirectional tag\r | |
9 | \r | |
10 | (This is enough to perform all of the silly cloning attacks, like the\r | |
11 | ones that I did at the Capitol in Sacramento, or anything involving\r | |
12 | a Verichip. From a technical standpoint, these are not that exciting,\r | |
13 | although the `software radio' architecture of the proxmark3 makes it\r | |
14 | easy and fun to support new formats.)\r | |
15 | \r | |
16 | As a bonus, I include some code to use the 13.56 MHz hardware, so you can:\r | |
17 | \r | |
18 | * do anything that a (medium-range) ISO 15693 reader could\r | |
19 | * read an ISO 14443 tag, if you know the higher-layer protocol\r | |
20 | * pretend to be an ISO 14443 tag, if you know the higher-layer protocol\r | |
21 | * snoop on an ISO 14443 transaction\r | |
22 | \r | |
23 | I am not actively developing any of this. I have other projects that\r | |
24 | seem to be more useful.\r | |
25 | \r | |
26 | USING THE PACKAGE:\r | |
27 | \r | |
28 | The software tools required to build include:\r | |
29 | \r | |
30 | * cygwin or other unix-like tools for Windows\r | |
31 | * the Microsoft Visual C++ compiler (I use Version 6)\r | |
32 | * arm-elf-gcc; I use WinterMute's build, from http://www.devkitpro.org/\r | |
33 | * Xilinx's WebPack tools\r | |
34 | * Modelsim (for test only)\r | |
35 | * perl\r | |
36 | \r | |
37 | It is not necessary to build the FPGA image yourself; a pre-compiled\r | |
38 | image is provided, as armsrc/fpgaimg.c. This is a generated file,\r | |
39 | though, and you can rebuild it by running fpga/go.bat.\r | |
40 | \r | |
41 | Documentation is minimal, but see the doc/ directory for what exists. A\r | |
42 | previous familiarity with the ARM, with digital signal processing,\r | |
43 | and with embedded programming in general is assumed.\r | |
44 | \r | |
45 | The device is used through a specialized command line interface; for\r | |
46 | example, to clone a Verichip, you might type:\r | |
47 | \r | |
48 | loread ; this reads the tag, and stores the\r | |
49 | ; raw samples in memory on the ARM\r | |
50 | \r | |
51 | losamples ; then we download the samples to\r | |
52 | ; the PC\r | |
53 | \r | |
54 | vchdemod clone ; demodulate the ID, and then put it\r | |
55 | ; back in a format that we can replay\r | |
56 | \r | |
57 | losim ; and then replay it\r | |
58 | \r | |
59 | To read an ISO 15693 tag, you might type:\r | |
60 | \r | |
61 | hiread ; read the tag; this involves sending a\r | |
62 | ; particular command, and then getting\r | |
63 | ; the response (which is stored as raw\r | |
64 | ; samples in memory on the ARM)\r | |
65 | \r | |
66 | hisamples ; then download those samples to the PC\r | |
67 | \r | |
68 | hi15demod ; and demod them to bits (and check the\r | |
69 | ; CRC etc. at the same time)\r | |
70 | \r | |
71 | Notice that in both cases the signal processing mostly happened on the PC\r | |
72 | side; that is of course not practical for a real reader, but it is easier\r | |
73 | to initially write your code and debug on the PC side than on the ARM. As\r | |
74 | long as you use integer math (and I do), it's trivial to port it over\r | |
75 | when you're done.\r | |
76 | \r | |
77 | The USB driver and bootloader are documented (and available separately\r | |
78 | for download, if you wish to use them in another project) at\r | |
79 | \r | |
80 | http://cq.cx/trivia.pl\r | |
81 | \r | |
82 | \r | |
83 | OBTAINING HARDWARE:\r | |
84 | \r | |
85 | Most of the ultra-low-volume contract assemblers that have sprung up\r | |
86 | (Screaming Circuits, the various cheap Asian suppliers, etc.) could put\r | |
87 | something like this together with a reasonable yield. A run of around\r | |
88 | a dozen units is probably cost-effective. The BOM includes (possibly-\r | |
89 | outdated) component pricing, and everything is available from Digikey\r | |
90 | and the usual distributors.\r | |
91 | \r | |
92 | If you've never assembled a modern circuit board by hand, then this is\r | |
93 | not a good place to start. Some of the components (e.g. the crystals)\r | |
94 | must not be assembled with a soldering iron, and require hot air.\r | |
95 | \r | |
96 | The schematics are included; the component values given are not\r | |
97 | necessarily correct for all situations, but it should be possible to do\r | |
98 | nearly anything you would want with appropriate population options.\r | |
99 | \r | |
100 | The printed circuit board artwork is also available, as Gerbers and an\r | |
101 | Excellon drill file.\r | |
102 | \r | |
103 | \r | |
104 | FUTURE PLANS, ENHANCEMENTS THAT YOU COULD MAKE:\r | |
105 | \r | |
106 | At some point I should write software involving a proper real-time\r | |
107 | operating system for the ARM. I would then provide interrupt-driven\r | |
108 | drivers for many of the peripherals that are polled now (the USB,\r | |
109 | the data stream from the FPGA), which would make it easier to develop\r | |
110 | complex applications.\r | |
111 | \r | |
112 | It would not be all that hard to implement the ISO 15693 reader properly\r | |
113 | (with anticollision, all the commands supported, and so on)--the signal\r | |
114 | processing is already written, so it is all straightforward applications\r | |
115 | work.\r | |
116 | \r | |
117 | I have basic support for ISO 14443 as well: a sniffer, a simulated\r | |
118 | tag, and a reader. It won't do anything useful unless you fill in the\r | |
119 | high-layer protocol.\r | |
120 | \r | |
121 | Nicer (i.e., closer-to-optimal) implementations of all kinds of signal\r | |
122 | processing would be useful as well.\r | |
123 | \r | |
124 | A practical implementation of the learning-the-tag's-ID-from-what-the-\r | |
125 | reader-broadcasts-during-anticollision attacks would be relatively\r | |
126 | straightforward. This would involve some signal processing on the FPGA,\r | |
127 | but not much else after that.\r | |
128 | \r | |
129 | It would be neat to write a driver that could stream samples from the A/Ds\r | |
130 | over USB to the PC, using the full available bandwidth of USB. I am not\r | |
131 | yet sure what that would be good for, but surely something. This would\r | |
132 | require a kernel-mode driver under Windows, though, which is more work.\r | |
133 | \r | |
134 | \r | |
135 | LICENSING:\r | |
136 | \r | |
137 | This program is free software; you can redistribute it and/or modify\r | |
138 | it under the terms of the GNU General Public License as published by\r | |
139 | the Free Software Foundation; either version 2 of the License, or\r | |
140 | (at your option) any later version.\r | |
141 | \r | |
142 | This program is distributed in the hope that it will be useful,\r | |
143 | but WITHOUT ANY WARRANTY; without even the implied warranty of\r | |
144 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r | |
145 | GNU General Public License for more details.\r | |
146 | \r | |
147 | You should have received a copy of the GNU General Public License\r | |
148 | along with this program; if not, write to the Free Software\r | |
149 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\r | |
150 | \r | |
151 | \r | |
152 | Jonathan Westhues\r | |
153 | user jwesthues, at host cq.cx\r | |
154 | \r | |
155 | May 2007, Cambridge MA\r | |
156 | \r |