]>
Commit | Line | Data |
---|---|---|
02b6f355 | 1 | The iceman fork |
c00fc47d | 2 | =============== |
7edde707 | 3 | [![Build Status](https://travis-ci.org/iceman1001/proxmark3.svg?branch=master)](https://travis-ci.org/iceman1001/proxmark3) [![Coverity Status](https://scan.coverity.com/projects/5117/badge.svg)](https://scan.coverity.com/projects/proxmark3_iceman_fork) [![Latest release] (https://img.shields.io/github/release/iceman1001/proxmark3.svg)] (https://github.com/iceman1001/proxmark3/releases/latest) |
883c82b5 | 4 | |
8b89fcae | 5 | ##This fork is HIGHLY experimental |
02b6f355 | 6 | |
703ac289 | 7 | ##Notice |
6063655a | 8 | There is so much in this fork, with all fixes and additions its basically the most enhanced fork to this day for the Proxmark3 device. |
c0bab227 | 9 | |
703ac289 | 10 | ##Offical |
02b6f355 | 11 | The official Proxmark repository is found here: https://github.com/Proxmark/proxmark3 |
12 | ||
8b89fcae | 13 | ##Coverity Scan Config & Run |
b112787d | 14 | Download the Coverity Scan Self-buld and install it. |
15 | You will need to configure ARM-NON-EABI- Compiler for it to use: | |
16 | ||
17 | :: Configure | |
f3c2458a | 18 | `cov-configure --comptype gcc --compiler /opt/devkitpro/devkitARM/bin/arm-none-eabi-gcc` |
b112787d | 19 | |
20 | ::run it (I'm running on Ubuntu) | |
f3c2458a | 21 | `cov-build --dir cov-int make all` |
b112787d | 22 | |
23 | :: make a tarball | |
f3c2458a | 24 | `tar czvf proxmark3.tgz cov-int` |
b112787d | 25 | |
26 | :: upload it to coverity.com | |
27 | ||
703ac289 | 28 | ##Whats changed? |
6063655a | 29 | Whats so special with this fork? I have scraped the web for different enhancements to the PM3 source code and not all of them ever found their way to the master branch. |
02b6f355 | 30 | Among the stuff is |
31 | ||
32 | * Jonor's hf 14a raw timing patch | |
33 | * Piwi's updates. (usually gets into the master) | |
34 | * Piwi's "topaz" branch | |
35 | * Piwi's "hardnested" branch | |
36 | * Holiman's iclass, (usually gets into the master) | |
37 | * Marshmellow's fixes (usually gets into the master) | |
38 | * Midnitesnake's Ultralight, Ultralight-c enhancements | |
39 | * Izsh's lf peak modification / iir-filtering | |
40 | * Aspers's tips and tricks from inside the PM3-gui-tool, settings.xml and other stuff. | |
41 | * My own desfire, Ultralight extras, LF T55xx enhancements, bugs fixes (filelength, hf mf commands ), TNP3xxx lua scripts, Awid26, skidata scripts (will come) | |
42 | * other obscure patches like for the sammy-mode, (offline you know), tagidentifications, defaultkeys. | |
43 | * Minor textual changes here and there. | |
44 | * Simulation of Ultralight/Ntag. | |
6063655a | 45 | * Marshmellow's and my "RevEng" addon for the client. Ref: http://reveng.sourceforge.net/ Now using reveng1.31 |
f3c2458a | 46 | * J-Run alternative bruteforce Mifare nested auths.. (you need one other exe to make it work) |
02b6f355 | 47 | * A Bruteforce for T55XX passwords against tag. |
48 | * A Bruteforce for AWID 26, starting w a facilitycode then trying all 0xFFFF cardnumbers via simulation. To be used against a AWID Reader. | |
c0bab227 | 49 | * A Bruteforce for HID, starting w a facilitycode then trying all 0xFFFF cardnumbers via simulation. To be used against a HID Reader. |
b112787d | 50 | * Blaposts Crapto1 v3.3 |
f3c2458a | 51 | * Icsom's legic script and legic enhancements |
52 | * Aczid's bitsliced bruteforce solver in 'hf mf hardnested' | |
fdefe5cb | 53 | |
c00fc47d I |
54 | ##Straight from the CHANGELOG |
55 | ============================= | |
185d675b | 56 | - Added `hf mf key_brute` - adds J-Runs 2nd phase bruteforce ref: https://github.com/J-Run/mf_key_brute (iceman) |
57 | - Added `lf jablotron` - adds demod/clone/sim of Jablotron LF tags. (iceman) | |
58 | - Added `lf t55xx recoverpw` - adds a new password recovery using bitflips and partial flips if password write went bad. (alexgrin) | |
59 | - `hf legic` - added improved legic data mapping. (jason) | |
60 | - `hf mf mifare` - added possibility to target key A|B (douniwan5788) | |
61 | - Added `analyse lcr` - added a new main command group, to help analysing bytes & bits & nibbles. (iceman) | |
62 | - Added `lf nedap` - added identification of a NEDAP tag. (iceman) | |
63 | - `lf viking clone` - fixed a bug. (iceman) | |
64 | - Added bitsliced bruteforce solver in `hf mf hardnested` (Aczid) | |
65 | - `hf mf chk` speedup (iceman) | |
66 | - `hf 14a/mf sim x` attack mode, now uses also moebius version of mfkey32 to try finding the key. (iceman) | |
67 | - `hf 14a sim` Added emulation of Mifare cards with 10byte UID length. (iceman) | |
68 | - `hf mf sim` Added emulation of Mifare cards with 10byte UID length. (iceman) | |
69 | - Added `lf guard clone/sim` (iceman) | |
70 | - Added `lf pyramd clone/sim` (iceman) | |
71 | - trying to fix `hf 14b` command to be able to read CALYPSO card. (iceman) | |
6063655a | 72 | - `hf legic load`, it now loads faster and a casting bug is gone. (iceman) |
185d675b | 73 | - Added `hf legic calccrc8` added a method to calculate the legic crc-8 value (iceman) |
6063655a | 74 | - `hf legic decode` fixed the output overflow bugs, better printing (iceman) |
75 | - Coverity Scan fixes a lot of resource leaks, etc (iceman) | |
185d675b | 76 | - Added `lf presco *` commands started (iceman) |
77 | - Added `lf hid wiegand` added a method to calculate WIEGAND in different formats, (iceman) | |
6063655a | 78 | - `hf mf chkkeys` better printing, same table output as nested, faster execution and added Adam Lauries "try to read Key B if Key A is found" (iceman) |
79 | - `hf mf nested` better printing and added Adam Lauries "try to read Key B if Key A is found" (iceman) | |
80 | - `hf mf mifare` fixing the zero parity path, which doesn't got called. (iceman) | |
81 | - Updated the @blapost's Crapto1 implementation to v3.3 (blapost) | |
82 | - `hf mf c*` updated the calling structure and refactored of the chinese magic commands (iceman, marshmellow) | |
83 | - Started to add Peter Fillmore's EMV fork into Iceman fork. ref: https://github.com/peterfillmore/proxmark3 (peter fillmore, iceman) | |
84 | - Added Travis-CI automatic build integration with GitHub fork. (iceman) | |
185d675b | 85 | - Updated the Reveng 1.30 sourcecode to 1.31 from Reveng project homepage (iceman) |
86 | - Updated the Reveng 1.31 sourcecode to 1.40 from Reveng project homepage (iceman) | |
6063655a | 87 | |
88 | - Added possibility to write direct to a Legic Prime Tag (MIM256/1024) without using values from the 'BigBuffer' -> 'hf legic writeRaw <addr> <value>' (icsom) | |
89 | - Added possibility to decrease DCF values at address 0x05 & 0x06 on a Legic Prime Tag | |
90 | DCF-value will be pulled from the BigBuffer (address 0x05 & 0x06) so you have to | |
91 | load the data into the BigBuffer before with 'hf legic load <path/to/legic.dump>' & then | |
92 | write the DCF-Values (both at once) with 'hf legic write 0x05 0x02' (icsom) | |
93 | - Added script `legic.lua` for display and edit Data of Legic-Prime Tags (icsom) | |
94 | - Added the experimental HITAG_S support (spenneb) | |
95 | - Added topaz detection to `hf search` (iceman) | |
185d675b | 96 | - Fixed the silent mode for 14b to be used inside `hf search` (iceman) |
6063655a | 97 | |
98 | --- | |
02b6f355 | 99 | Give me a hint, and I'll see if I can't merge in the stuff you have. |
100 | ||
101 | I don't actually know how to make small pull-request to github :( and that is the number one reason for me not pushing a lot of things back to the PM3 master. | |
102 | ||
703ac289 | 103 | ##PM3 GUI |
02b6f355 | 104 | I do tend to rename and move stuff around, the official PM3-GUI from Gaucho will not work so well. *sorry* |
105 | ||
703ac289 | 106 | ##Development |
c0bab227 | 107 | This fork now compiles just fine on |
c00fc47d I |
108 | - Windows/mingw environment with Qt5.3.1 & GCC 4.8 |
109 | - Ubuntuu 1404, 1510 | |
110 | - Mac OS X (or before the hardnested BF solver at least) | |
c0bab227 | 111 | |
703ac289 | 112 | ##Setup and build for UBUNTU |
c0bab227 | 113 | GC made updates to allow this to build easily on Ubuntu 14.04.2 LTS or 15.10 |
114 | See https://github.com/Proxmark/proxmark3/wiki/Ubuntu%20Linux | |
02b6f355 | 115 | |
c0bab227 | 116 | Run |
f3c2458a | 117 | `sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev` |
185d675b | 118 | |
c0bab227 | 119 | Follow these instructions |
28d47dc9 | 120 | Get devkitARM release 41 from SourceForge (choose either the 64/32 bit depending on your architecture, it is assumed you know how to check and recognize your architecture): |
02b6f355 | 121 | |
122 | (64-bit) http://sourceforge.net/projects/devkitpro/files/devkitARM/previous/devkitARM_r41-x86_64-linux.tar.bz2/download | |
123 | (32-bit) http://sourceforge.net/projects/devkitpro/files/devkitARM/previous/devkitARM_r41-i686-linux.tar.bz2/download | |
c0bab227 | 124 | |
02b6f355 | 125 | Extract the contents of the .tar.bz2: |
f3c2458a | 126 | `tar jxvf devkitARM_r41-<arch>-linux.tar.bz2` |
c0bab227 | 127 | |
02b6f355 | 128 | Create a directory for the arm dev kit: |
f3c2458a | 129 | `sudo mkdir -p /opt/devkitpro/` |
c0bab227 | 130 | |
02b6f355 | 131 | Move the ARM developer kit to the newly created directory: |
f3c2458a | 132 | `sudo mv devkitARM /opt/devkitpro/` |
c0bab227 | 133 | |
02b6f355 | 134 | Add the appropriate environment variable: |
f3c2458a | 135 | `export PATH=${PATH}:/opt/devkitpro/devkitARM/bin/` |
c0bab227 | 136 | |
02b6f355 | 137 | Add the environment variable to your profile: |
f3c2458a | 138 | `echo 'PATH=${PATH}:/opt/devkitpro/devkitARM/bin/ ' >> ~/.bashrc` |
c0bab227 | 139 | |
140 | Clone iceman fork | |
f3c2458a | 141 | `git clone https://github.com/iceman1001/proxmark3.git` |
02b6f355 | 142 | |
c0bab227 | 143 | Get the latest commits |
f3c2458a | 144 | `git pull` |
c0bab227 | 145 | |
146 | CLEAN COMPILE | |
f3c2458a | 147 | `make clean && make all` |
02b6f355 | 148 | |
c0bab227 | 149 | Flash the BOOTROM |
f3c2458a | 150 | `client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf` |
c0bab227 | 151 | |
152 | Flash the FULLIMAGE | |
f3c2458a | 153 | `client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf` |
02b6f355 | 154 | |
c0bab227 | 155 | Change into the client folder. |
f3c2458a | 156 | `cd client` |
02b6f355 | 157 | |
c0bab227 | 158 | Run the client |
f3c2458a | 159 | `./proxmark3 /dev/ttyACM0` |
c0bab227 | 160 | |
703ac289 | 161 | ##Homebrew (Mac OS X) |
dc1c9ae4 | 162 | These instructions comes from @Chrisfu, where I got the proxmark3.rb scriptfile from. |
4003623b | 163 | Further questions about Mac & Homebrew, contact @Chrisfu (https://github.com/chrisfu/) |
02b6f355 | 164 | |
dc1c9ae4 I |
165 | 1. Install homebrew if you haven't yet already done so: http://brew.sh/ |
166 | ||
167 | 2. Tap this repo: `brew tap iceman1001/proxmark3` | |
168 | ||
169 | 3. Install Proxmark3: `brew install proxmark3` for stable release or `brew install --HEAD proxmark3` for latest non-stable from GitHub. | |
170 | ||
703ac289 I |
171 | ##Docker container |
172 | I recently added a docker container on Docker HUB. You find it here: https://hub.docker.com/r/iceman1001/proxmark3/ | |
173 | Follow those instructions to get it up and running. No need for the old proxspace-environment anymore. | |
dc1c9ae4 | 174 | |
ba2e685d I |
175 | [1.6.0] How to start: https://www.youtube.com/watch?v=b5Zta89Cf6Q |
176 | [1.6.0] How to connect: https://youtu.be/0ZS2t5C-caI | |
177 | [1.6.1] How to flash: https://www.youtube.com/watch?v=WXouhuGYEiw | |
178 | ||
179 | Recommendations: | |
f3c2458a | 180 | Use only container tag [1.6.4] |
ba2e685d | 181 | |
dc1c9ae4 | 182 | |
8b89fcae | 183 | ##Buying a proxmark3 |
c0bab227 | 184 | The Proxmark 3 device is available for purchase (assembled and tested) from the following locations: |
185 | ||
b82c2f85 I |
186 | * http://proxmark3.tictail.com/ (For buyers in EU, most likely in Sweden) |
187 | ||
188 | * http://www.elechouse.com/ (new and revised hardware package 2015, located in China) | |
02b6f355 | 189 | |
c00fc47d | 190 | |
4003623b I |
191 | ##Enjoy |
192 | ||
193 | January 2015, Sweden | |
194 | iceman at host iuse.se | |
195 | ||
196 | ||
197 | ||
198 | ||
8b89fcae | 199 | ##Note from Jonathan Westhues |
02b6f355 | 200 | Most of the ultra-low-volume contract assemblers could put |
201 | something like this together with a reasonable yield. A run of around | |
202 | a dozen units is probably cost-effective. The BOM includes (possibly- | |
203 | outdated) component pricing, and everything is available from Digikey | |
204 | and the usual distributors. | |
205 | ||
206 | If you've never assembled a modern circuit board by hand, then this is | |
207 | not a good place to start. Some of the components (e.g. the crystals) | |
208 | must not be assembled with a soldering iron, and require hot air. | |
209 | ||
210 | The schematics are included; the component values given are not | |
211 | necessarily correct for all situations, but it should be possible to do | |
212 | nearly anything you would want with appropriate population options. | |
213 | ||
214 | The printed circuit board artwork is also available, as Gerbers and an | |
215 | Excellon drill file. | |
216 | ||
217 | ||
218 | LICENSING: | |
219 | ||
220 | This program is free software; you can redistribute it and/or modify | |
221 | it under the terms of the GNU General Public License as published by | |
222 | the Free Software Foundation; either version 2 of the License, or | |
223 | (at your option) any later version. | |
224 | ||
225 | This program is distributed in the hope that it will be useful, | |
226 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
227 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
228 | GNU General Public License for more details. | |
229 | ||
230 | You should have received a copy of the GNU General Public License | |
231 | along with this program; if not, write to the Free Software | |
232 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA | |
233 | ||
234 | ||
235 | Jonathan Westhues | |
236 | user jwesthues, at host cq.cx | |
237 | ||
238 | May 2007, Cambridge MA |