5 <meta charset='utf-
8'
/>
6 <meta http-equiv=
"X-UA-Compatible" content=
"chrome=1" />
7 <meta name=
"description" content=
"Proxmark3 : Proxmark 3" />
9 <link rel=
"stylesheet" type=
"text/css" media=
"screen" href=
"stylesheets/stylesheet.css">
11 <title>Proxmark3
</title>
17 (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
18 (i[r].q=i[r].q||[]).push(arguments)},i[r].l=
1*new Date();a=s.createElement(o),
19 m=s.getElementsByTagName(o)[
0];a.async=
1;a.src=g;m.parentNode.insertBefore(a,m)
20 })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
22 ga('create', 'UA-
49140702-
1', 'proxmark.github.io');
23 ga('send', 'pageview');
27 <div id=
"header_wrap" class=
"outer">
28 <header class=
"inner">
29 <a id=
"forkme_banner" href=
"https://github.com/Proxmark/proxmark3">View on GitHub
</a>
31 <h1 id=
"project_title">Proxmark3
</h1>
32 <h2 id=
"project_tagline">Proxmark
3</h2>
34 <section id=
"downloads">
35 <a class=
"zip_download_link" href=
"https://github.com/Proxmark/proxmark3/zipball/master">Download this project as a .zip file
</a>
36 <a class=
"tar_download_link" href=
"https://github.com/Proxmark/proxmark3/tarball/master">Download this project as a tar.gz file
</a>
42 <div id=
"main_content_wrap" class=
"outer">
43 <section id=
"main_content" class=
"inner">
46 Moving the repository from google code to GitHub is up for discussion!
47 Please check out the following thread and post your comments...
48 <a href=
"http://www.proxmark.org/forum/viewtopic.php?id=1902">http://www.proxmark.org/forum/viewtopic.php?id=
1902</a>
49 Discussions will close on March
31st.
</p>
52 <a name=
"proxmark" class=
"anchor" href=
"#proxmark"><span class=
"octicon octicon-link"></span></a>Proxmark
</h1>
54 <p>The Proxmark III is a device developed by Jonathan Westhues that enables sniffing, reading and cloning of RFID (Radio Frequency Identification) tags. For my master thesis I wanted to look at the communication of Mifare Classic cards. Mifare Classic is used in many applications and is the most popular contactless card around. It is used in e-ticketing, public transport and access control. The higher-level protocol is kept secret by the manufacturer (NXP). I made an implementation of the ISO14443 type A standard for the Proxmark since Mifare is based on this communication standard.
</p>
56 <p>After a lot of debugging and many noisy traces the Proxmark was ready for some real analysis. I focused on the Mifare Classic card and was happy to let the communication between card and reader appear on my screen. I could see the anticollision phase where the reader selects the card to communicate with. This was followed by an authentication and after that all communication was encrypted. The findings of this research are published on arxiv.org as A Practical Attack on the Mifare Classic
</p>
58 <p>In December
2007 I saw the presentation of Karsten Nohl and Henryk Plotz where they showed how they reverse engineered the Mifare Classic chip. I was working on the same subject in Nijmegen. The Mifare system relied on security by obscurity and now the secrets are revealed there is no card-level security left. A video on youtube shows a demo that we gave on March
12th. It shows how we access a building with a cloned card.
</p>
61 <a name=
"checkout-the-repo" class=
"anchor" href=
"#checkout-the-repo"><span class=
"octicon octicon-link"></span></a>Checkout the repo...
</h2>
63 <pre><code>$ cd your_repo_root/repo_name
65 $ git checkout gh-pages
68 <p>If you're using the GitHub for Mac, simply sync your repository and you'll see the new branch.
</p>
71 <a name=
"intro-2" class=
"anchor" href=
"#intro-2"><span class=
"octicon octicon-link"></span></a>INTRO
2</h1>
73 <p>This file contains enough software, logic (for the FPGA), and design
74 documentation for the hardware that you could, at least in theory,
75 do something useful with a proxmark3. It has commands to:
</p>
77 <pre><code>* read any kind of
125 kHz unidirectional tag
78 * simulate any kind of
125 kHz unidirectional tag
81 <p>(This is enough to perform all of the silly cloning attacks, like the
82 ones that I did at the Capitol in Sacramento, or anything involving
83 a Verichip. From a technical standpoint, these are not that exciting,
84 although the `software radio' architecture of the proxmark3 makes it
85 easy and fun to support new formats.)
</p>
87 <p>As a bonus, I include some code to use the
13.56 MHz hardware, so you can:
</p>
89 <pre><code>* do anything that a (medium-range) ISO
15693 reader could
90 * read an ISO
14443 tag, if you know the higher-layer protocol
91 * pretend to be an ISO
14443 tag, if you know the higher-layer protocol
92 * snoop on an ISO
14443 transaction
95 <p>I am not actively developing any of this. I have other projects that
96 seem to be more useful.
</p>
99 <a name=
"using-the-package" class=
"anchor" href=
"#using-the-package"><span class=
"octicon octicon-link"></span></a>USING THE PACKAGE
</h2>
101 <p>The software tools required to build include:
</p>
104 <li>cygwin or other unix-like tools for Windows
</li>
105 <li>devkitPro (
<a href=
"http://wiki.devkitpro.org/index.php/Getting_Started/devkitARM">http://wiki.devkitpro.org/index.php/Getting_Started/devkitARM
</a>)
</li>
106 <li>Xilinx's WebPack tools
</li>
107 <li>Modelsim (for test only)
</li>
109 </ul><p>When installing devkitPro, you only need to install the compiler itself. Additional
110 support libraries are not required.
</p>
112 <p>Documentation is minimal, but see the doc/ directory for what exists. A
113 previous familiarity with the ARM, with digital signal processing,
114 and with embedded programming in general is assumed.
</p>
116 <p>The device is used through a specialized command line interface; for
117 example, to clone a Verichip, you might type:
</p>
119 <pre><code>loread ; this reads the tag, and stores the
120 ; raw samples in memory on the ARM
122 losamples ; then we download the samples to
125 vchdemod clone ; demodulate the ID, and then put it
126 ; back in a format that we can replay
128 losim ; and then replay it
131 <p>To read an ISO
15693 tag, you might type:
</p>
133 <pre><code>hiread ; read the tag; this involves sending a
134 ; particular command, and then getting
135 ; the response (which is stored as raw
136 ; samples in memory on the ARM)
138 hisamples ; then download those samples to the PC
140 hi15demod ; and demod them to bits (and check the
141 ; CRC etc. at the same time)
144 <p>Notice that in both cases the signal processing mostly happened on the PC
145 side; that is of course not practical for a real reader, but it is easier
146 to initially write your code and debug on the PC side than on the ARM. As
147 long as you use integer math (and I do), it's trivial to port it over
148 when you're done.
</p>
150 <p>The USB driver and bootloader are documented (and available separately
151 for download, if you wish to use them in another project) at
</p>
153 <pre><code>http://cq.cx/trivia.pl
157 <a name=
"obtaining-hardware" class=
"anchor" href=
"#obtaining-hardware"><span class=
"octicon octicon-link"></span></a>OBTAINING HARDWARE:
</h2>
159 <p>Most of the ultra-low-volume contract assemblers that have sprung up
160 (Screaming Circuits, the various cheap Asian suppliers, etc.) could put
161 something like this together with a reasonable yield. A run of around
162 a dozen units is probably cost-effective. The BOM includes (possibly-
163 outdated) component pricing, and everything is available from Digikey
164 and the usual distributors.
</p>
166 <p>If you've never assembled a modern circuit board by hand, then this is
167 not a good place to start. Some of the components (e.g. the crystals)
168 must not be assembled with a soldering iron, and require hot air.
</p>
170 <p>The schematics are included; the component values given are not
171 necessarily correct for all situations, but it should be possible to do
172 nearly anything you would want with appropriate population options.
</p>
174 <p>The printed circuit board artwork is also available, as Gerbers and an
175 Excellon drill file.
</p>
178 <a name=
"future-plans-enhancements-that-you-could-make" class=
"anchor" href=
"#future-plans-enhancements-that-you-could-make"><span class=
"octicon octicon-link"></span></a>FUTURE PLANS, ENHANCEMENTS THAT YOU COULD MAKE:
</h2>
180 <p>At some point I should write software involving a proper real-time
181 operating system for the ARM. I would then provide interrupt-driven
182 drivers for many of the peripherals that are polled now (the USB,
183 the data stream from the FPGA), which would make it easier to develop
184 complex applications.
</p>
186 <p>It would not be all that hard to implement the ISO
15693 reader properly
187 (with anticollision, all the commands supported, and so on)--the signal
188 processing is already written, so it is all straightforward applications
191 <p>I have basic support for ISO
14443 as well: a sniffer, a simulated
192 tag, and a reader. It won't do anything useful unless you fill in the
193 high-layer protocol.
</p>
195 <p>Nicer (i.e., closer-to-optimal) implementations of all kinds of signal
196 processing would be useful as well.
</p>
198 <p>A practical implementation of the learning-the-tag's-ID-from-what-the-
199 reader-broadcasts-during-anticollision attacks would be relatively
200 straightforward. This would involve some signal processing on the FPGA,
201 but not much else after that.
</p>
203 <p>It would be neat to write a driver that could stream samples from the A/Ds
204 over USB to the PC, using the full available bandwidth of USB. I am not
205 yet sure what that would be good for, but surely something. This would
206 require a kernel-mode driver under Windows, though, which is more work.
</p>
209 <a name=
"licensing" class=
"anchor" href=
"#licensing"><span class=
"octicon octicon-link"></span></a>LICENSING:
</h2>
211 <p>This program is free software; you can redistribute it and/or modify
212 it under the terms of the GNU General Public License as published by
213 the Free Software Foundation; either version
2 of the License, or
214 (at your option) any later version.
</p>
216 <p>This program is distributed in the hope that it will be useful,
217 but WITHOUT ANY WARRANTY; without even the implied warranty of
218 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
219 GNU General Public License for more details.
</p>
221 <p>You should have received a copy of the GNU General Public License
222 along with this program; if not, write to the Free Software
223 Foundation, Inc.,
51 Franklin St, Fifth Floor, Boston, MA
02110-
1301 USA
</p>
226 user jwesthues, at host cq.cx
</p>
228 <p>May
2007, Cambridge MA
</p>
233 <div id=
"footer_wrap" class=
"outer">
234 <footer class=
"inner">
235 <p class=
"copyright">Proxmark3 maintained by
<a href=
"https://github.com/Proxmark">Proxmark
</a></p>
236 <p>Published with
<a href=
"http://pages.github.com">GitHub Pages
</a></p>