Proxmark3 Plot Sample
   HOME

TheInfoList



OR:

Proxmark3 is a multi-purpose hardware tool for
radio-frequency identification Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. An RFID system consists of a tiny radio transponder, a radio receiver and transmitter. When triggered by an electromag ...
(RFID) security analysis, research and development. It supports both
high frequency High frequency (HF) is the ITU designation for the range of radio frequency electromagnetic waves (radio waves) between 3 and 30 megahertz (MHz). It is also known as the decameter band or decameter wave as its wavelengths range from one to ten ...
(13.56 MHz) and
low frequency Low frequency (LF) is the ITU designation for radio frequencies (RF) in the range of 30–300 kHz. Since its wavelengths range from 10–1  km, respectively, it is also known as the kilometre band or kilometre wave. LF radio waves exh ...
(125/134 kHz) proximity cards and allows users to read, emulate, fuzz, and brute force the majority of RFID protocols. Originally created by Jonathan Westhues and published as
open-source hardware Open-source hardware (OSH) consists of physical artifacts of technology designed and offered by the open-design movement. Both free and open-source software (FOSS) and open-source hardware are created by this open-source culture movement and a ...
, it was later picked up by a community of developers who significantly improved both hardware and software in comparison with the original version. Proxmark3 gathered a large community of security researchers investigating RFID
access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
systems, who expand and maintain the project while using it in their own research. The original Proxmark3 hardware platform served as the basis for new device versions, including commercial ones.


Technical specification

Proxmark3 is based on
field-programmable gate array A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer or a designer after manufacturinghence the term '' field-programmable''. The FPGA configuration is generally specified using a hardware d ...
(FPGA) technology, which allows the implementation of high-performance low-level analog signal processing, modulation and demodulation. A separate
microcontroller A microcontroller (MCU for ''microcontroller unit'', often also MC, UC, or μC) is a small computer on a single VLSI integrated circuit (IC) chip. A microcontroller contains one or more CPUs (processor cores) along with memory and programmable i ...
processes demodulated frames. Such setup potentially allows any RFID protocol to be implemented in Proxmark3's software.


Antennas

2 independent antenna circuits are used for
low frequencies Low frequency (LF) is the ITU designation for radio frequencies (RF) in the range of 30–300  kHz. Since its wavelengths range from 10–1  km, respectively, it is also known as the kilometre band or kilometre wave. LF radio waves ex ...
(LF) 125 kHz and 134 kHz, and
high frequency High frequency (HF) is the ITU designation for the range of radio frequency electromagnetic waves (radio waves) between 3 and 30 megahertz (MHz). It is also known as the decameter band or decameter wave as its wavelengths range from one to ten ...
(HF) 13.56 MHz. Initially, both antennas were connected with a shared 4-pin Hirose USB connector, which was unreliable at times. Subsequent revisions have opted to use a separate connector for each antenna.


ADC

8-bit
Analog-to-digital converter In electronics, an analog-to-digital converter (ADC, A/D, or A-to-D) is a system that converts an analog signal, such as a sound picked up by a microphone or light entering a digital camera, into a digital signal. An ADC may also provide ...
(ADC) receives an analog signal from the antenna circuit, digitizes it and outputs the digital signal to the FPGA.


FPGA

Field-programmable gate array A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer or a designer after manufacturinghence the term '' field-programmable''. The FPGA configuration is generally specified using a hardware d ...
does both the low-level modulation when transmitting data from CPU and demodulation when receiving a signal from an ADC. It can process various modulations such as
on–off keying On–off keying (OOK) denotes the simplest form of amplitude-shift keying (ASK) modulation that represents digital data as the presence or absence of a carrier wave. In its simplest form, the presence of a carrier for a specific duration represen ...
(OOK),
amplitude-shift keying Amplitude-shift keying (ASK) is a form of amplitude modulation that represents digital data as variations in the amplitude of a carrier wave. In an ASK system, a symbol, representing one or more bits, is sent by transmitting a fixed-amplitude car ...
(ASK), etc. The FPGA works in two ways: as reader generating electromagnetic field for cards, or as card waiting for reader field.


CPU

The
ARM In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between the ...
microcontroller is responsible for the protocol part. It encodes and decodes the frames (
Manchester Manchester () is a city in Greater Manchester, England. It had a population of 552,000 in 2021. It is bordered by the Cheshire Plain to the south, the Pennines to the north and east, and the neighbouring city of Salford to the west. The t ...
,
Miller A miller is a person who operates a Gristmill, mill, a machine to grind a grain (for example corn or wheat) to make flour. Mill (grinding), Milling is among the oldest of human occupations. "Miller", "Milne" and other variants are common surname ...
, etc) and performs more advanced functions. The CPU can reply back to the FPGA after signal handling, thus implementing the transport layer. The CPU also manages the USB communication with the PC client application.


Flash memory

Flash memory Flash memory is an electronic non-volatile computer memory storage medium that can be electrically erased and reprogrammed. The two main types of flash memory, NOR flash and NAND flash, are named for the NOR and NAND logic gates. Both us ...
is used to store firmware. The early versions of Proxmark3 only had 64 kB of flash memory, but as firmware developed that became scarce and versions with 512 kB appeared. The firmware itself consists of ARM code and an FPGA image (which is loaded by the ARM). The FPGA communicates with the ARM through either its SPI port (the ARM is the master) or its generic SSP. The SPI is used for FPGA configuration. The SSP is used for data sent over the air.


Software

At the time Proxmark3 was developed, SDR was a hard to access technology. For that reason a split
FPGA A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer or a designer after manufacturinghence the term '' field-programmable''. The FPGA configuration is generally specified using a hardware de ...
/ MCU architecture was designed: an FPGA handles low-level functionality such as modulation/demodulation, while a microcontroller cares for the high-level functionality (
command-line interface A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...
, protocol encoding/decoding, etc). While the FPGA/MCU architecture is technically outdated, it remained unchanged throughout hardware revisions. This allowed different versions to use the same firmware and resulted in a large code-base. However, with time the Proxmark3 codebase became increasingly fractured and hardware instabilities started to appear. As a result, some implementations refine and optimize the code (for example Proxmark3 RDV4), while others use the original Proxmark3 codebase (for example Proxmark3 EVO). Proxmark3 software is divided into three parts: * PC client (application layer) – PC application which calls the Proxmark3 functions. It is used to display data, analyze the signal and manage Proxmark3. Subsequently, in newer Proxmark3 versions a mobile app can be used to control the Bluetooth-connected device. * CPU firmware (transport layer) –
ARM In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between the ...
firmware that manages protocol messages, formats and queues. It also provides
CLI CLI may refer to: Computing * Call Level Interface, an SQL database management API * Command-line interface, of a computer program * Command-line interpreter or command language interpreter; see List of command-line interpreters * CLI (x86 instruc ...
tools. * FPGA firmware (physical layer) – Xilinx Spartan II firmware is responsible for the
DSP DSP may refer to: Computing * Digital signal processing, the mathematical manipulation of an information signal * Digital signal processor, a microprocessor designed for digital signal processing * Yamaha DSP-1, a proprietary digital signal ...
: modulating/demodulating of signals. Older firmware used USB HID protocol to connect the client to the Proxmark3. It was not possible to stream the received samples in real-time to the PC. CPU received a command from the client, executed it and stored the result in the memory buffer. The client had to send a new command to retrieve the CPU buffered data. New firmware versions use
CDC The Centers for Disease Control and Prevention (CDC) is the national public health agency of the United States. It is a United States federal agency, under the Department of Health and Human Services, and is headquartered in Atlanta, Georgi ...
serial interface to communicate with the client. Signal samples may be handled by the PC client, it can plot received data to assist in analyzing unknown signals.


Community

Since Proxmark3's release in 2007 several RFID enthusiasts have been extending its functionality. Proxmark3 community has seen rapid growth after the release of firmware supporting the ISO/IEC 14443-A standard and appearing successful attacks on Mifare Classic. The Proxmark3 forum (registration required) became one of the main hubs for RFID system vulnerability discussion frequented by security researchers focusing on electronic access control (EAC) systems. The Proxmark community also houses developers of other RFID research tools: for example LibNFC. The community
Discord Discord is a VoIP and instant messaging social platform. Users have the ability to communicate with voice calls, video calls, text messaging, media and files in private chats or as part of communities called "servers".The developer documenta ...
server was later created to host both text and voice discussions on the topic of EAC system security. It had about 3000 members at the end of 2021.


Researches used Proxmark3

Mifare MIFARE is the NXP Semiconductors-owned trademark of a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards. The brand name covers proprietary solutions based upon various levels of the ISO/IEC 14443 Type A ...
Classic cards attacks: * Darkside attack (Nijmegen/Oakland Group, 2009)– recovering at least one key from any sector of the card. Works for every card, takes a long time. Using mfoc (Mifare Offline Cracker) tool from libnfc stack. * Nested attack (Nicolas T. Curtois, 2009) – If one sector is encrypted with a known key, other sectors are crackable in a short amount of time. There is also the updated version of this attack – Hardnested. Using mfcuk (Mifare Classic universal toolkit) tool from libnfc stack. Mifare Classic paper: * A practical attack on the MIFARE Classic Mifare DESFire paper: * An investigation of possible attacks on the MIFARE DESFire EV1
smartcard A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...
used in public transportation HID iClass papers: * Heart of darkness – exploring the uncharted backwaters of HID iCLASS security Hitag paper: * Gone in 360 Seconds: Hijacking with Hitag2
NFC NFC may refer to: Psychology * Need for cognition, in psychology * Need for closure, social psychological term Sports * NFC Championship Game, the National Football Conference Championship Game * NCAA Football Championship (Philippines) * Nati ...
papers: * Practical attacks on NFC enabled cell phones{{Cite journal, last1=Verdult, first1=Roel, last2=Kooman, first2=Francois, date=February 2011, title=Practical Attacks on NFC Enabled Cell Phones, url=https://ieeexplore.ieee.org/abstract/document/5741305/?casa_token=mNhseX3NFGQAAAAA:tUjpO1eb59wejraNbeePGYgzCo4QdP_bM_SiTMeraNzHW-EEHfEz0XWAP89VDvKfT1Dz8zUGnX6Wcg, journal=2011 Third International Workshop on Near Field Communication, pages=77–82, doi=10.1109/NFC.2011.16, hdl=2066/92208, isbn=978-1-61284-176-2, s2cid=16296134, hdl-access=free Radio-frequency identification Open-source hardware Computer-related introductions in 2007


References