RunningPM3

Running the PM3

Updated Nov 21, 2011 by W8M2Hg9l...@gmail.com

Running the PM3

Running the PM3

Using the Proxmark3
Is it working ?
Which firmware should I run ?
How to upgrade the firmware

Native Linux flashing
Linux & VMWare

Supported tag types
Standalone Mode - HID Prox emulation
Examples

Identifying an unknown tag
Cloning/replaying a HID Prox tag
Get the UID of a Mifare card using ’snooping’ capabilities
Reading a ISO15693 Tag
Getting the sector key of a mifare card

Snooping on Mifare communications

Troubleshooting

USB Connection issues
Making the proxmark3 work without root access

Using the Proxmark3

In this section we will discuss the various practical aspects of running the Proxmark3 in day to day operations.

Is it working ?

In order to check that your Proxmark3 is working, plug it into a USB port using a mini-USB cable, and observe the LED boot sequence :

With the original firmware, the boot sequence is as follows :

All LEDs on
Yellow only
Yellow and green
Red only
All LEDs off

With the 20081211 version, here is what happens :

LED boot sequence now changed, C (red) lights up when boot code jumps from flash to RAM boot code, A (yellow) lights up after clocks have been initialized, B (green) lights up when jumping from boot code to main code, then D (red led away from the others) lights up while code is being downloaded to FPGA, then all leds turn off and board is ready for action.

With these changes the board now boots and is ready to use in about 3 seconds. Also since the USB bus is not initialized twice (once during boot, then again when the main code runs) unless the button is held down at boot, this seems to avoid the double USB connect and "USB device not recognized" when device is connected to the USB bus or software reset.

Which firmware should I run ?

Basically : the original Proxmark3 firmware only supports 125kHz tags, ISO15693 and ISO14443-B modulations. The firmware written by Koning (20080514) and posted on proxmark.org adds ISO14443-A support to the Proxmark3. The latest versions add new commands related to HID tags, and also commands for supporting a LCD screen on the Proxmark3.

The biggest issue at the moment with the device, is that several people tend to work on it without a proper central source code management system : this means that some features make it into some versions, some don’t, with no exact overlap.

As of March 2009, there are several versions of the firmware which can be found on http://proxmark.org/ :

The original version available on the page of the Proxmark author. This version does not support 14443a
The updated version available on the Proxmark.org page, aka the 20080514 and 20081121 versions. This version supports 14443a. A binary version of the firmware is available on the proxmark.org files section. It does not touch the bootloader and includes both FPGA & OS images in the same .s19 file.
The updated version available on the same Proxmark.org page which introduces a new enhanced bootloader : 20081211. From this version on, bootloader, fpgaimage & OS can be flashed separately. Nevertheless, the linux port of the proxmark3 client will work on standard proxmark devices.
There is a Linux port, released as version 20090112. This version is not compatible with the Windows version because it changes the USB device descriptor. It introduces interesting UID cloning features in 14443-A in the source code
As or March 2009, a 20090301_doob version was released, which includes several new ISO-15693 commands. A 20090306_edo version was released which also includes the linux command line client but is otherwise identical to the 20090301 version.
In April 2009, a a new Google code project was created and is hosted on Google Code. You can check the source out on SVN, and download ready-made s19 files there too.

How to upgrade the firmware

As described earlier, the Proxmark firmware comprises a bootloader, a fpga image and actual OS, i.e. the ARM code. This firmware can be upgraded through USB, this is a feature of the bootloader. Depending on the firmware version, you can either upgrade the bootloader or the fpga+os (original firmware), or upgrade bootloader, fpga image and os separately (20081211 version).

In the normal course of operations, there is no reason why you should need to use the JTAG connector that is installed on the Proxmark, unless you somehow manage to crash the bootloader itself when flashing it over USB.

Actual flashing of the proxmark involves issuing flash commands twice : the first attempt causes the device to reboot, and then a second time where actual flashing takes place :

#prox load osimage.s19
-- error, then the device reboots --
#prox load osimage.s19
-- actual flashing takes place

Note : this double command is not necessary for current versions of the firmware, as described below :

Note for 20081211 version and later : flashing can only be done with the proxmark button pressed down when the proxmark is plugged in, as described in the ’CHANGES.TXT’ file in the ’doc’ directory that comes in the 20081211 zipfile.

With this boot code, the device can now only be flashed if button is held down after power on or a software reset.

The flash procedure is this :

Hold down button. Either plug in USB or software reset it. _While_holding_down_button_ (red and yellow LEDs are lit) you can issue one or more of the "prox bootrom " "prox fpga " "prox load ", be sure to hold button down for the entire duration of the flash process. Only release the button when flashing is complete and you want to let the board boot.

This process may be less convenient but it’s safer and avoids "unintentional" flashing of the board.

Native Linux flashing

As of July 2009, the SVN versions include a linux "flasher" command, which works like the windows "prox" command. Type ’flasher’ for the command line to get the list of flashing options.

Linux & VMWare

Thanks to the new flashing mode (keeping the button pressed), it now is fairly simple & reliable to flash the Proxmark3 from a Windows XP guest on a Linux host using vmware : just make sure your virtual machine is configured to automatically grab USB devices when it has focus and don’t forget to keep the Proxmark3 button pressed when you connect it to the USB port.

Supported tag types

Below is a table summarizing various tag types and operations supported on the latest SVN version of the Proxmark3 firmware : it is not limitating in any way, get back to me if you have tested other tag types

Manufacturer	Tag name	Frequency	Modulation	Read	Simulate	Snoop	Comment
ST Micro	SRI512	13.56MHz	ISO14443-B	Yes	No	Yes	UID read, memory dump.
NXP and many others	Mifare	13.56MHz	ISO14443-A	Yes	Yes	Yes	Very Limited simulation capabilities in current firmware
NXP	icode SLI	13.56MHz	ISO15693	Yes	No	No	Simulation code not working. Limited reading capabilities.
EM Microelectronics	EM Marin 4200 series	125kHz	125kHz OOK	Yes	Yes	No	Simulation not tested, manchester encoded. Exists in several variants, but I only encountered the Manchester type.
Nedap	Nedap	125kHz	120kHz OOK	Yes	Yes	No	Simulation not tested, manchested encoded, works at 125kHz
HID (formerly Motorola)	Indala	125kHz	125kHz BPSK	Yes	Yes	No	UID is scrambled, but replay works.
HID	HID Prox	125kHz	125kHz FSK	Yes	Yes	No	Replay works. Decoding either on the Proxmark, or in the client.

Standalone Mode - HID Prox emulation

The HID Standalone mode is available in SVN revision 52 and above.

To get into stand-alone mode (works with or without a PC), hold the button for a second. You’ll see the lights go into a synchronized little bit. When done, the red1 LED will be lit. When using a PC, debug output will be printed so you see what’s going on.

When just red1 (next to the other two LEDs) is lit, that means slot 1 (red1) is selected.

When just orange is lit, that means slot 2 (orange) is selected.

When red2 is lit (and either red1/orange), that means the pm3 is recording and waiting for an HID tag to be detected. Once detected, the red2 light will turn off and the tag will be stored in the selected slot.

When green is lit (and either red1/orange), that means that specific slot is simulating the HID tag stored on that slot.

To record, hold down the button for 1 second until the red2 light comes on. This will record to the active slot (either red1 or orange).

To play, just press the button and the green light comes on for the selected slot. To switch to either slot, press the button again. You may need to press twice (once to play the current slot, then to switch to the next slot).

So pressing four times would do :

-> red1 (selected 1)
-> red1+green (playing 1)
-> orange (selected 2)
-> orange+green (playing 2)
-> red1 (selected 1) ...

Examples

Identifying an unknown tag

This method was documented in this proxmark.org forum post.

A really quick and easy way of determining if a card is HF or LF is to :

1. Run the tune command a couple of times to get an idea of what your voltage readings are on LF and HF.
2. place the unknown card/tag against the proxmark antennas (LF & HF)
3. Run the tune command a couple of times again to get an idea of what the values are wth the tag in the antenna fields
4. Look for significant voltage drops in either HF or LF, the voltage drop indicates the tag operating frequency.

Generally you will see a voltage drop (sometimes over 10 volts) on the corresponding frequency (e.g. LF 125kHz/134kHz, HF 13.56MHz)

Some examples :

Nominal Tune readings (no tags nearby)
   # LF antenna @  26 mA / 33972 mV [1273 ohms] 125Khz
   # LF antenna @  18 mA / 22290 mV [1187 ohms] 134Khz
   # HF antenna @  60 mA / 14276 mV [235 ohms] 13.56Mhz
A HID LF prox card :

   # LF antenna @   8 mA / 10205 mV [1273 ohms] 125Khz      [~ 23.5 Volt drop]
   # LF antenna @   9 mA / 11547 mV [1187 ohms] 134Khz      [~ 10.7 Volt drop]
   # HF antenna @  60 mA / 14244 mV [235 ohms] 13.56Mhz
An ISO15693 HF prox card :

   # LF antenna @  26 mA / 33837 mV [1273 ohms] 125Khz
   # LF antenna @  18 mA / 22290 mV [1187 ohms] 134Khz
   # HF antenna @  50 mA / 11794 mV [235 ohms] 13.56Mhz    [~ 2.5 Volt drop]
An ISO14443A HF tag :

   # LF antenna @  26 mA / 33972 mV [1273 ohms] 125Khz
   # LF antenna @  18 mA / 22155 mV [1187 ohms] 134Khz
   # HF antenna @  44 mA / 10538 mV [235 ohms] 13.56Mhz   [~ 3.7 Volt drop]

Cloning/replaying a HID Prox tag

From this post, you can see how you can use the HID-related commands to read & replay HID Prox tags using the commands introduced in the 20081211 firmware.

In particular, this post gives a good example of a properly read tag waveform :

Get the UID of a Mifare card using ’snooping’ capabilities

Place a Mifare card on a Mifare reader (in this case, an Omnikey 5321), and put the antenna between the Mifare card and the reader.

Issue the following command :

proxmark3> hi14asnoop
> hi14asnoop

The Red, Yellow and Green LEDs blink with activity. After a while, once the Proxmark3 buffer is full, the "command finished" prompt is issued :
#db# COMMAND FINISHED
#db# 00000022, 00000000, 00000000

#db# 00000020, 000007d6, 00000093

#db# 00000022, 00000000, 00000000

#db# 00000020, 000007d6, 00000093

You can then decode the ISO14443-A commands which were snooped :

the reader sends "26" (REAQA) to check if there are tags in the field.
the tag answers "0400" to say "Hi"
the reader says "9320" to select the tag —or any tag in the field—
the tag answers with its UID
the reader retries "select" with the tag’s UID
the tag says "I’m a mifare 1K"
the reader attempts to read block zero (30 00 02 a8)
the tag says "Not allowed" (04)
the reader says "Halt" (50 00 57 cd)

> hi14alist
recorded activity:
ETU     :rssi: who bytes
---------+----+----+-----------
+      0:    :     26
+ 381383:    :     26
+ 381375:    :     26
+     64:   0: TAG 04  00
+   3432:    :     93  20
+     64:   0: TAG 84  76  81  dd  ae
+   7345:    :     93  70  84  76  81  dd  ae  01  9a
+     64:   0: TAG 08  b6  dd
+  97771:    :     30  00  02  a8
+     72:   0: TAG 04
+   5368:    :     50  00  57  cd
...

the Mifare UID of the card is indeed 847681DD

Reading a ISO15693 Tag

The image below shows the reading from a iso-15683 ski pass as used in the French alps

proxmark3> hi15read
> hi15read
proxmark3> hisamples
> hisamples
proxmark3> norm
> norm
proxmark3> hi15demod
> hi15demod
SOF at 10, correlation 387
EOF at 410
12 octets
#  0: 00
#  1: 01
#  2: fd
#  3: f1
#  4: 82
#  5: 12
#  6: 00
#  7: 00
#  8: 07
#  9: e0
# 10: 7d
# 11: da
CRC=da7d
proxmark3>

Getting the sector key of a mifare card

Snooping on Mifare communications

This is a working example of how the sector keys of mifare cards can be retrieved with a Proxmark3, using the "crapto-1" package found on Google Code.

The trace below is taken from a hi14asnoop session followed by hi14alist to get the beginning of the authentication & encryption protocol :

Commands	Comment
+ 561882 : 1 : 26	REQA
+ 64 : 2 : TAG 04 00	Answer reqa
+ 10217 : 2 : 93 20	Select
+ 64 : 5 : TAG 9c 59 9b 32 6c	The card’s UID is therefore : 9c 59 9b 32
+ 12313 : 9 : 93 70 9c 59 9b 32 6c 6b 30	Select with UID
+ 64 : 3 : TAG 08 b6 dd	Tag type (Mifare 1K)
+ 923318 : 4 : 60 00 f5 7b	AUTH (block 00)
+ 112 : 4 : TAG 82 a4 16 6c	Tag challenge (nt, "Nonce Tag")
+ 6985 : 8 : a1 e4 ! 58 ce ! 6e ea ! 41 e0 !	nr XOR ks1 (Nonce Reader, encrypted, 4 bytes), ar XOR ks2 (Answer Reader to Nonce Tag, encrypted)
+ 64 : 4 : TAG 5c ! ad f4 39 !	at XOR ks3 (Answer Tag, encrypted)

In order to extract the key for sector 0 from the exchange, we need the following elements :

Tag UID
Tag challenge (nt)
Reader challenge, encrypted (nr xor ks1, aka nr)
Reader response, encrypted (ar XOR ks2, aka ar)
Tag response, encrypted (at XOR ks3, aka at)

In the example above :

UID : 0x9c599b32
nt : 0x82a4166c
nr : 0xa1e458ce
ar : 0x6eea41e0
at : 0x5cadf439

Those can then be used in the following "crapto1" test program :

// Test-file: test2.c
#include "crapto1.h"
#include <stdio.h>

int main (void)
{
 struct Crypto1State *revstate;
 uint64_t lfsr;
 unsigned char* plfsr = (unsigned char*)&lfsr;


 uint32_t uid                = 0x9c599b32;
 uint32_t tag_challenge      = 0x82a4166c;
 uint32_t nr_enc             = 0xa1e458ce;
 uint32_t reader_response    = 0x6eea41e0;
 uint32_t tag_response       = 0x5cadf439;

 uint32_t ks2                = reader_response ^ prng_successor(tag_challenge, 64);
 uint32_t ks3                = tag_response ^ prng_successor(tag_challenge, 96);

 printf("nt': %08x\n",prng_successor(tag_challenge, 64));
 printf("nt'': %08x\n",prng_successor(tag_challenge, 96));

 printf("ks2: %08x\n",ks2);
 printf("ks3: %08x\n",ks3);

 revstate = lfsr_recovery(ks2, ks3);
 lfsr_rollback(revstate, 0, 0);
 lfsr_rollback(revstate, 0, 0);
 lfsr_rollback(revstate, nr_enc, 1);
 lfsr_rollback(revstate, uid ^ tag_challenge, 0);
 crypto1_get_lfsr(revstate, &lfsr);
 printf("Found Key: [%02x %02x %02x %02x %02x %02x]\n\n",plfsr[0],plfsr[1],plfsr[2],plfsr[3],plfsr[4],plfsr[5]);

 return 0;
}

Then compiled with :

#gcc -o test2 test2.c crapto1.c crypto1.c

And run like this :

./test2
nt': 8d65734b
nt'': 9a427b20
ks2: e38f32ab
ks3: c6ef8f19
Found Key: [ff ff ff ff ff ff]

Troubleshooting

USB Connection issues

The Proxmark3 sometimes has trouble with USB connections, especially on Linux (although as of July 2009 the usb subsystem should automatically detach the Linux kernel driver, so make sure you are running the latest versions before resorting to the following fixes).

   For a short term fix : Plug the proxmark in an USB 1.1 hub or directly in a port on the computer, so ehci_hcd does not handle it, but the old USB 1.1 driver (uhci_hcd or ohci_hcd ; unloading ehci_hcd should do the trick, too).

On Ubuntu Jaunty, ehci_hcd support is built into the kernel. In this case, you can disable ehci support from the /sys/ interface :

# ls /sys/bus/pci/drivers/ehci_hcd

You should see an entry for your USB 2.0 host device, something like 0000:00:xx.x

Then do

# echo -n 0000:00:xx.x > unbind

This will unbind your device from ehci_hcd.

To be tested :

You can disable this on boot by creating a /etc/udev/rules.d/disable-ehci.rules file containing :

ACTION=="add", SUBSYSTEM=="pci", DRIVER=="ehci_hcd", RUN+="/bin/sh -c 'echo -n %k > %S%p/driver/unbind'"

Making the proxmark3 work without root access

Just create the right rules file in udev

~$ cat /etc/udev/rules.d/026-proxmark.rules
#Proxmark3
SYSFS{idVendor}=="9ac4", SYSFS{idProduct}=="4b8f", MODE="0660", GROUP="adm"

This one gives access to the proxmark for users in the adm group...

► Sign in to add a comment