]> git.zerfleddert.de Git - proxmark3-svn/blob - README.txt
Started an experiment with lua mifare hack
[proxmark3-svn] / README.txt
1 INTRO:
2
3 This file contains enough software, logic (for the FPGA), and design
4 documentation for the hardware that you could, at least in theory,
5 do something useful with a proxmark3. It has commands to:
6
7 * read any kind of 125 kHz unidirectional tag
8 * simulate any kind of 125 kHz unidirectional tag
9
10 (This is enough to perform all of the silly cloning attacks, like the
11 ones that I did at the Capitol in Sacramento, or anything involving
12 a Verichip. From a technical standpoint, these are not that exciting,
13 although the `software radio' architecture of the proxmark3 makes it
14 easy and fun to support new formats.)
15
16 As a bonus, I include some code to use the 13.56 MHz hardware, so you can:
17
18 * do anything that a (medium-range) ISO 15693 reader could
19 * read an ISO 14443 tag, if you know the higher-layer protocol
20 * pretend to be an ISO 14443 tag, if you know the higher-layer protocol
21 * snoop on an ISO 14443 transaction
22
23 I am not actively developing any of this. I have other projects that
24 seem to be more useful.
25
26 USING THE PACKAGE:
27
28 The software tools required to build include:
29
30 * cygwin or other unix-like tools for Windows
31 * devkitPro (http://wiki.devkitpro.org/index.php/Getting_Started/devkitARM)
32 * Xilinx's WebPack tools
33 * Modelsim (for test only)
34 * perl
35
36 When installing devkitPro, you only need to install the compiler itself. Additional
37 support libraries are not required.
38
39 Documentation is minimal, but see the doc/ directory for what exists. A
40 previous familiarity with the ARM, with digital signal processing,
41 and with embedded programming in general is assumed.
42
43 The device is used through a specialized command line interface; for
44 example, to clone a Verichip, you might type:
45
46 loread ; this reads the tag, and stores the
47 ; raw samples in memory on the ARM
48
49 losamples ; then we download the samples to
50 ; the PC
51
52 vchdemod clone ; demodulate the ID, and then put it
53 ; back in a format that we can replay
54
55 losim ; and then replay it
56
57 To read an ISO 15693 tag, you might type:
58
59 hiread ; read the tag; this involves sending a
60 ; particular command, and then getting
61 ; the response (which is stored as raw
62 ; samples in memory on the ARM)
63
64 hisamples ; then download those samples to the PC
65
66 hi15demod ; and demod them to bits (and check the
67 ; CRC etc. at the same time)
68
69 Notice that in both cases the signal processing mostly happened on the PC
70 side; that is of course not practical for a real reader, but it is easier
71 to initially write your code and debug on the PC side than on the ARM. As
72 long as you use integer math (and I do), it's trivial to port it over
73 when you're done.
74
75 The USB driver and bootloader are documented (and available separately
76 for download, if you wish to use them in another project) at
77
78 http://cq.cx/trivia.pl
79
80
81 OBTAINING HARDWARE:
82
83 Most of the ultra-low-volume contract assemblers that have sprung up
84 (Screaming Circuits, the various cheap Asian suppliers, etc.) could put
85 something like this together with a reasonable yield. A run of around
86 a dozen units is probably cost-effective. The BOM includes (possibly-
87 outdated) component pricing, and everything is available from Digikey
88 and the usual distributors.
89
90 If you've never assembled a modern circuit board by hand, then this is
91 not a good place to start. Some of the components (e.g. the crystals)
92 must not be assembled with a soldering iron, and require hot air.
93
94 The schematics are included; the component values given are not
95 necessarily correct for all situations, but it should be possible to do
96 nearly anything you would want with appropriate population options.
97
98 The printed circuit board artwork is also available, as Gerbers and an
99 Excellon drill file.
100
101
102 FUTURE PLANS, ENHANCEMENTS THAT YOU COULD MAKE:
103
104 At some point I should write software involving a proper real-time
105 operating system for the ARM. I would then provide interrupt-driven
106 drivers for many of the peripherals that are polled now (the USB,
107 the data stream from the FPGA), which would make it easier to develop
108 complex applications.
109
110 It would not be all that hard to implement the ISO 15693 reader properly
111 (with anticollision, all the commands supported, and so on)--the signal
112 processing is already written, so it is all straightforward applications
113 work.
114
115 I have basic support for ISO 14443 as well: a sniffer, a simulated
116 tag, and a reader. It won't do anything useful unless you fill in the
117 high-layer protocol.
118
119 Nicer (i.e., closer-to-optimal) implementations of all kinds of signal
120 processing would be useful as well.
121
122 A practical implementation of the learning-the-tag's-ID-from-what-the-
123 reader-broadcasts-during-anticollision attacks would be relatively
124 straightforward. This would involve some signal processing on the FPGA,
125 but not much else after that.
126
127 It would be neat to write a driver that could stream samples from the A/Ds
128 over USB to the PC, using the full available bandwidth of USB. I am not
129 yet sure what that would be good for, but surely something. This would
130 require a kernel-mode driver under Windows, though, which is more work.
131
132
133 LICENSING:
134
135 This program is free software; you can redistribute it and/or modify
136 it under the terms of the GNU General Public License as published by
137 the Free Software Foundation; either version 2 of the License, or
138 (at your option) any later version.
139
140 This program is distributed in the hope that it will be useful,
141 but WITHOUT ANY WARRANTY; without even the implied warranty of
142 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
143 GNU General Public License for more details.
144
145 You should have received a copy of the GNU General Public License
146 along with this program; if not, write to the Free Software
147 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
148
149
150 Jonathan Westhues
151 user jwesthues, at host cq.cx
152
153 May 2007, Cambridge MA
154
Impressum, Datenschutz