Add images for wiki.

[proxmark3-svn] / params.json

{"name":"Proxmark3","tagline":"Proxmark 3","body":"NOTICE:\r\n(2014-03-17)\r\nMoving the repository from google code to GitHub is up for discussion!\r\nPlease check out the following thread and post your comments...\r\nhttp://www.proxmark.org/forum/viewtopic.php?id=1902\r\nDiscussions will close on March 31st.\r\n\r\n# Proxmark\r\n\r\nThe Proxmark III is a device developed by Jonathan Westhues that enables sniffing, reading and cloning of RFID (Radio Frequency Identification) tags. For my master thesis I wanted to look at the communication of Mifare Classic cards. Mifare Classic is used in many applications and is the most popular contactless card around. It is used in e-ticketing, public transport and access control. The higher-level protocol is kept secret by the manufacturer (NXP). I made an implementation of the ISO14443 type A standard for the Proxmark since Mifare is based on this communication standard.\r\n\r\nAfter a lot of debugging and many noisy traces the Proxmark was ready for some real analysis. I focused on the Mifare Classic card and was happy to let the communication between card and reader appear on my screen. I could see the anticollision phase where the reader selects the card to communicate with. This was followed by an authentication and after that all communication was encrypted. The findings of this research are published on arxiv.org as A Practical Attack on the Mifare Classic\r\n\r\nIn December 2007 I saw the presentation of Karsten Nohl and Henryk Plotz where they showed how they reverse engineered the Mifare Classic chip. I was working on the same subject in Nijmegen. The Mifare system relied on security by obscurity and now the secrets are revealed there is no card-level security left. A video on youtube shows a demo that we gave on March 12th. It shows how we access a building with a cloned card.\r\n\r\n## Checkout the repo...\r\n```\r\n$ cd your_repo_root/repo_name\r\n$ git fetch origin\r\n$ git checkout gh-pages\r\n```\r\n\r\nIf you're using the GitHub for Mac, simply sync your repository and you'll see the new branch.\r\n\r\n# INTRO 2\r\n\r\nThis file contains enough software, logic (for the FPGA), and design\r\ndocumentation for the hardware that you could, at least in theory,\r\ndo something useful with a proxmark3. It has commands to:\r\n\r\n    * read any kind of 125 kHz unidirectional tag\r\n    * simulate any kind of 125 kHz unidirectional tag\r\n\r\n(This is enough to perform all of the silly cloning attacks, like the\r\nones that I did at the Capitol in Sacramento, or anything involving\r\na Verichip. From a technical standpoint, these are not that exciting,\r\nalthough the `software radio' architecture of the proxmark3 makes it\r\neasy and fun to support new formats.)\r\n\r\nAs a bonus, I include some code to use the 13.56 MHz hardware, so you can:\r\n\r\n    * do anything that a (medium-range) ISO 15693 reader could\r\n    * read an ISO 14443 tag, if you know the higher-layer protocol\r\n    * pretend to be an ISO 14443 tag, if you know the higher-layer protocol\r\n    * snoop on an ISO 14443 transaction\r\n\r\nI am not actively developing any of this. I have other projects that\r\nseem to be more useful.\r\n\r\n## USING THE PACKAGE\r\n\r\nThe software tools required to build include:\r\n\r\n* cygwin or other unix-like tools for Windows\r\n* devkitPro (http://wiki.devkitpro.org/index.php/Getting_Started/devkitARM)\r\n* Xilinx's WebPack tools\r\n* Modelsim (for test only)\r\n* perl\r\n\r\nWhen installing devkitPro, you only need to install the compiler itself. Additional\r\nsupport libraries are  not required.\r\n\r\nDocumentation is minimal, but see the doc/ directory for what exists. A\r\nprevious familiarity with the ARM, with digital signal processing,\r\nand with embedded programming in general is assumed.\r\n\r\nThe device is used through a specialized command line interface; for\r\nexample, to clone a Verichip, you might type:\r\n\r\n    loread                          ; this reads the tag, and stores the\r\n                                    ; raw samples in memory on the ARM\r\n\r\n    losamples                       ; then we download the samples to\r\n                                    ; the PC\r\n\r\n    vchdemod clone                  ; demodulate the ID, and then put it\r\n                                    ; back in a format that we can replay\r\n\r\n    losim                           ; and then replay it\r\n\r\nTo read an ISO 15693 tag, you might type:\r\n\r\n    hiread                          ; read the tag; this involves sending a\r\n                                    ; particular command, and then getting\r\n                                    ; the response (which is stored as raw\r\n                                    ; samples in memory on the ARM)\r\n\r\n    hisamples                       ; then download those samples to the PC\r\n\r\n    hi15demod                       ; and demod them to bits (and check the\r\n                                    ; CRC etc. at the same time)\r\n\r\nNotice that in both cases the signal processing mostly happened on the PC\r\nside; that is of course not practical for a real reader, but it is easier\r\nto initially write your code and debug on the PC side than on the ARM. As\r\nlong as you use integer math (and I do), it's trivial to port it over\r\nwhen you're done.\r\n\r\nThe USB driver and bootloader are documented (and available separately\r\nfor download, if you wish to use them in another project) at\r\n\r\n    http://cq.cx/trivia.pl\r\n\r\n\r\n## OBTAINING HARDWARE:\r\n\r\nMost of the ultra-low-volume contract assemblers that have sprung up\r\n(Screaming Circuits, the various cheap Asian suppliers, etc.) could put\r\nsomething like this together with a reasonable yield. A run of around\r\na dozen units is probably cost-effective. The BOM includes (possibly-\r\noutdated) component pricing, and everything is available from Digikey\r\nand the usual distributors.\r\n\r\nIf you've never assembled a modern circuit board by hand, then this is\r\nnot a good place to start. Some of the components (e.g. the crystals)\r\nmust not be assembled with a soldering iron, and require hot air.\r\n\r\nThe schematics are included; the component values given are not\r\nnecessarily correct for all situations, but it should be possible to do\r\nnearly anything you would want with appropriate population options.\r\n\r\nThe printed circuit board artwork is also available, as Gerbers and an\r\nExcellon drill file.\r\n\r\n\r\n## FUTURE PLANS, ENHANCEMENTS THAT YOU COULD MAKE:\r\n\r\nAt some point I should write software involving a proper real-time\r\noperating system for the ARM. I would then provide interrupt-driven\r\ndrivers for many of the peripherals that are polled now (the USB,\r\nthe data stream from the FPGA), which would make it easier to develop\r\ncomplex applications.\r\n\r\nIt would not be all that hard to implement the ISO 15693 reader properly\r\n(with anticollision, all the commands supported, and so on)--the signal\r\nprocessing is already written, so it is all straightforward applications\r\nwork.\r\n\r\nI have basic support for ISO 14443 as well: a sniffer, a simulated\r\ntag, and a reader. It won't do anything useful unless you fill in the\r\nhigh-layer protocol.\r\n\r\nNicer (i.e., closer-to-optimal) implementations of all kinds of signal\r\nprocessing would be useful as well.\r\n\r\nA practical implementation of the learning-the-tag's-ID-from-what-the-\r\nreader-broadcasts-during-anticollision attacks would be relatively\r\nstraightforward. This would involve some signal processing on the FPGA,\r\nbut not much else after that.\r\n\r\nIt would be neat to write a driver that could stream samples from the A/Ds\r\nover USB to the PC, using the full available bandwidth of USB. I am not\r\nyet sure what that would be good for, but surely something. This would\r\nrequire a kernel-mode driver under Windows, though, which is more work.\r\n\r\n\r\n## LICENSING:\r\n\r\nThis program is free software; you can redistribute it and/or modify\r\nit under the terms of the GNU General Public License as published by\r\nthe Free Software Foundation; either version 2 of the License, or\r\n(at your option) any later version.\r\n\r\nThis program is distributed in the hope that it will be useful,\r\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\r\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\r\nGNU General Public License for more details.\r\n\r\nYou should have received a copy of the GNU General Public License\r\nalong with this program; if not, write to the Free Software\r\nFoundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA\r\n\r\n\r\nJonathan Westhues\r\nuser jwesthues, at host cq.cx\r\n\r\nMay 2007, Cambridge MA\r\n\r\n","google":"","note":"Don't delete this file! It's used internally to help with page regeneration."}