Proxmark3

Edit links
Source: Wikipedia, the free encyclopedia.
Proxmark3
First version of Proxmark3 originally designed by Jonathan Westhues
Date invented2007
FPGAXilinx Spartan®-II
ProcessorAtmel AT91SAM7S64
Memory64 kB flash

Proxmark3 is a multi-purpose hardware tool for radio-frequency identification (RFID) security analysis, research and development. It supports both high frequency (13.56 MHz) and low frequency (125/134 kHz) proximity cards and allows users to read, emulate, fuzz, and brute force the majority of RFID protocols.[1]

Originally created by Jonathan Westhues and published as open-source hardware, it was later picked up by a community of developers who significantly improved both hardware and software in comparison with the original version. Proxmark3 gathered a large community of security researchers investigating RFID access control systems, who expand and maintain the project while using it in their own research.[2] The original Proxmark3 hardware platform served as the basis for new device versions, including commercial ones.[1]

Technical specification

Proxmark3 is based on field-programmable gate array (FPGA) technology, which allows the implementation of high-performance low-level analog signal processing, modulation and demodulation. A separate microcontroller processes demodulated frames. Such setup potentially allows any RFID protocol to be implemented in Proxmark3's software.

Proxmark3 Hardware Blocks

Antennas

2 independent antenna circuits are used for low frequencies (LF) 125 kHz and 134 kHz, and high frequency (HF) 13.56 MHz. Initially, both antennas were connected with a shared 4-pin Hirose USB connector, which was unreliable at times. Subsequent revisions have opted to use a separate connector for each antenna.

ADC

8-bit Analog-to-digital converter (ADC) receives an analog signal from the antenna circuit, digitizes it and outputs the digital signal to the FPGA.

FPGA

Field-programmable gate array does both the low-level modulation when transmitting data from CPU and demodulation when receiving a signal from an ADC. It can process various modulations such as on–off keying (OOK), amplitude-shift keying (ASK), etc. The FPGA works in two ways: as reader generating electromagnetic field for cards, or as card waiting for reader field.

CPU

The

Miller, etc) and performs more advanced functions. The CPU can reply back to the FPGA after signal handling, thus implementing the transport layer. The CPU also manages the USB communication with the PC client application.[3]

Flash memory

Flash memory is used to store firmware. The early versions of Proxmark3 only had 64 kB of flash memory,[4] but as firmware developed that became scarce and versions with 512 kB appeared.[5]

The firmware itself consists of ARM code and an FPGA image (which is loaded by the ARM). The FPGA communicates with the ARM through either its SPI port (the ARM is the master) or its generic SSP. The SPI is used for FPGA configuration. The SSP is used for data sent over the air.[6]

Software

At the time Proxmark3 was developed, SDR was a hard to access technology. For that reason a split FPGA/MCU architecture was designed: an FPGA handles low-level functionality such as modulation/demodulation, while a microcontroller cares for the high-level functionality (command-line interface, protocol encoding/decoding, etc). While the FPGA/MCU architecture is technically outdated, it remained unchanged throughout hardware revisions. This allowed different versions to use the same firmware and resulted in a large code-base. However, with time the Proxmark3 codebase became increasingly fractured and hardware instabilities started to appear. As a result, some implementations refine and optimize the code (for example Proxmark3 RDV4), while others use the original Proxmark3 codebase (for example Proxmark3 EVO).[5]

General commands of Proxmark3 RDV4

Proxmark3 software is divided into three parts:

Proxmark3 client application plots data sample

Older firmware used USB HID protocol to connect the client to the Proxmark3. It was not possible to stream the received samples in real-time to the PC. CPU received a command from the client, executed it and stored the result in the memory buffer. The client had to send a new command to retrieve the CPU buffered data.[7] New firmware versions use CDC serial interface to communicate with the client.[2]

Signal samples may be handled by the PC client, it can plot received data to assist in analyzing unknown signals.

Community

Since Proxmark3's release in 2007 several RFID enthusiasts have been extending its functionality. Proxmark3 community has seen rapid growth after the release of firmware supporting the

Discord
server was later created to host both text and voice discussions on the topic of EAC system security. It had about 3000 members at the end of 2021.

Researches used Proxmark3

Mifare Classic cards attacks:

  • Darkside attack (Nijmegen/Oakland Group, 2009)– recovering at least one key from any sector of the card. Works for every card, takes a long time. Using mfoc (Mifare Offline Cracker) tool from libnfc stack.
  • Nested attack (Nicolas T. Curtois, 2009) – If one sector is encrypted with a known key, other sectors are crackable in a short amount of time. There is also the updated version of this attack – Hardnested. Using mfcuk (Mifare Classic universal toolkit) tool from libnfc stack.[9]

Mifare Classic paper:

  • A practical attack on the MIFARE Classic[10]

Mifare DESFire
paper:

  • An investigation of possible attacks on the MIFARE DESFire EV1 smartcard used in public transportation[11]

HID iClass papers:

  • Heart of darkness – exploring the uncharted backwaters of HID iCLASS security[12]

Hitag paper:

  • Gone in 360 Seconds: Hijacking with Hitag2[13]

Megamos paper:

  • Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer[14]

NFC papers:

  • Practical attacks on NFC enabled cell phones[15]

References

  1. ^
    OCLC 1178868866.{{cite book}}: CS1 maint: location missing publisher (link
    )
  2. ^
    OCLC 1029352620.{{cite book}}: CS1 maint: location missing publisher (link
    )
  3. ISBN 978-953-51-3629-3
    .
  4. ^ "A Test Instrument for HF/LF RFID". cq.cx. Retrieved 2021-09-15.
  5. ^ a b "Proxmark 3 | Proxmark". proxmark.com. Retrieved 2021-09-15.
  6. ^ "Hardware Description · Proxmark/proxmark3 Wiki". GitHub. Retrieved 2021-09-15.
  7. OCLC 1247335104.{{cite book}}: CS1 maint: multiple names: authors list (link
    )
  8. OCLC 830879913
    .
  9. ^ Courtois, Nicolas (2009). "Card-Only Attacks on MiFare Classic or How to Steal Your Oyster Card and Break into Buildings Worldwide" (PDF). UCL Discovery. Retrieved September 16, 2021.
  10. S2CID 1280839
  11. ^ Flynn, Rory. "An investigation of possible attacks on the MIFARE DESFire EV1 smartcard used in public transportation" (PDF). Retrieved September 16, 2021.
  12. ^ "Heart of Darkness - exploring the uncharted backwaters of HID iCLASS security" (PDF). Retrieved September 16, 2021.
  13. OCLC 1247338434
    .
  14. ^ Verdult, Roel; Garcia, Flavio; Ege, Baris. "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer" (PDF). Archived (PDF) from the original on 2015-09-10. Retrieved February 4, 2023.
  15. S2CID 16296134
    .
Retrieved from "https://en.wikipedia.org/w/index.php?title=Proxmark3&oldid=1193755467"