Difference between revisions of "Proxmark3: Installation"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
(Update windows 10 doc and fix formatting)
(Add hf section)
Line 1: Line 1:
== Summary ==  
== Authors ==


Installation of Proxmark3 on macOS, Linux and Windows for RFID and NFC sniffing.
*Ostrowski, John
*Arseven, Can


== MacOS installation ==
== Summary ==  


=== Requirements ===
"NFC Hacking with Proxmark3" has been conducted during a school project, in which we analyzed the implementation of our NFC System. Which includes our on-campus cards, the printing system, snacks and drinks machines and the classroom doors. The additional output of this project was a (tested) guide on how to install the Proxmark3. For further details with regards to our project, concrete tests and more advanced commands please see our documentation [[Proxmark3: FH-Campus Card NFC Security Valuation]].


Xcode (AppStore) is a must.
In this thread we show a short overview of the different commands the proxmark3 environment has to offer.


In addition to make the installation easier have either HomeBrew or MacPorts ready.
== Requirements ==
A Tutorial for installing:
A) HomeBrew: https://docs.brew.sh/Installation
B) MacPorts: https://www.macports.org/install.php


Because of their different architecture (HomeBrew/MacPorts), some parts of this tutorial are split into:
Please see the [[Proxmark3: Installation]] guide for a full overview of requirements.
A) Installation with HomeBrew
However, the Operating systems on which we tested the installation on are:  
B) Installation with MacPorts
*Ubuntu 16.04/18.03
Just choose the tutorial that suits your current setup.
*Windows 10
*MacOS 10.x


=== Installation with HomeBrew ===
In order to complete the "Introduction" described below, you have to complete the [[Proxmark3: Installation]] guide first.


1. Download ("tap") the proxmark repository:
These overview is based on the proxmark3 client, published on Github on the 29. May 2019


  brew tap proxmark/proxmark3
== Introduction ==


2. Install proxmark3:
This introduction should only give you a glimpse of the available commands and possibilities of the Proxmark3. The official Proxmark3-Repository as well as the more advanced Ice-Man-Fork Repository (both linked in the reference section) provide lots of functions, though most of them are still in their alpha stage and therefore still need a bit of tinkering in order to work well. For further commands and our security analysis of our university feel free to have a look at our documentation!


  brew install proxmark3
=== The Commands ===


=== Manual Installation ===
After you have successfully completed the Install Proxmark3 guide, you should see a screen similar to this when connecting to your proxmark3:


Download the drivers and install them.
proxmark3>
If you have MacPorts:


  sudo port install p7zip readline libusb libusb-compat perl5 wget qt5\\ arm-none-eabi-gcc pkgconfig
You can always (in whichever menu you are) type 'help' in order to have a full list of available commands in that menu.
If you enter help in the start menu, you will get following output:
help            This help. Use '<command> help' for details of a particular command.
data            { Plot window / data buffer manipulation... }
hf              { High Frequency commands... }
hw              { Hardware commands... }
lf              { Low Frequency commands... }
emv              { EMV iso14443 and iso7816... }
sc              { Smartcard commands... }
script          { Scripting commands }
quit            Exit program
exit            Exit program


If you have HomeBrew:
==== hw ====


  brew tap nitsky/stm32
hw stands for hardware and lists a bunch of commands to get basic hardware information of the Proxmark3.
  brew install readline libusb p7zip libusb-compat wget qt5 pkgconfig\\ arm-none-eabi-gcc


Now you will need to add QT to the PKG_CONFIG_PATH so it find QT5 (replace YOUR_VERSION with your version number:
detectreader    ['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)
fpgaoff          Set FPGA off
lcd              <HEX command> <count> -- Send command/data to LCD
lcdreset        Hardware reset LCD
readmem          [address] -- Read memory at decimal address from flash
reset            Reset the Proxmark3
setlfdivisor    <19 - 255> -- Drive LF antenna at 12Mhz/(divisor+1)
setmux          <loraw|hiraw|lopkd|hipkd> -- Set the ADC mux to a specific value
tune            ['l'|'h'] -- Measure antenna tuning (option 'l' or 'h' to limit to LF or HF)
version         Show version information about the connected Proxmark
status          Show runtime status information about the connected Proxmark
ping            Test if the pm3 is responsive


  export\\ PKG_CONFIG_PATH=/usr/local/Cellar/qt5/<<YOUR_VERSION>>/lib/pkgconfig/
We can check the version of the different builds of the Proxmark3 currently running on it:


3. And add moc_location in Qt5Core.pc file:
proxmark3> hw version
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-94-gd38bb3a-dirty-suspect 2019-06-01 14:36:05
os: master/v3.1.0-94-gd38bb3a-dirty-suspect 2019-06-01 14:36:22
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07


  export QT_PKG_CONFIG_QT5CORE=$(find /usr -name Qt5Core.pc 2>/dev/null)
We can now check the antenna strength of the attached antennas. If you have borrowed the proxmark3 of the Elvis IoT Lab you will get following output
  chmod 666 $QT_PKG_CONFIG_QT5CORE
  echo "moc_location=\${prefix}/bin/moc" >> $QT_PKG_CONFIG_QT5CORE
  chmod 444 $QT_PKG_CONFIG_QT5CORE


4. For link creation to avoid any errors of "readline" (may happen):
(If no smart card is in proximity):


   brew link --force readline
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 43.86 V @  125.00 kHz
# LF antenna: 21.04 V @  134.00 kHz
# LF optimal: 44.14 V @  123.71 kHz
# HF antenna: 30.41 V @   13.56 MHz


5. Now either git clone or manually download the Proxmark project. Git clone:
If we now lay a NFC card on the antennas the voltages changes:


  git clone https://github.com/Proxmark/proxmark3.git
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 44.27 V @  125.00 kHz
# LF antenna: 21.04 V @  134.00 kHz
# LF optimal: 44.27 V @  123.71 kHz
# HF antenna: *19.39 V* @    13.56 MHz


6. "cd" to the proxmark3 folder
We can see, that the voltage of the HF antenna dropped from 30 volts to about 19 volts. We can assume that the placed NFC card is a high frequency card.


7. Now jump to the section "Connecting your Proxmark"
==== hf ====
hf stands for high frequency, which are specified at a carrier frequency of about 13.56 MHz.
Possible commands that can be issued:


=== Connecting your Proxmark ===
proxmark3> hf
14a              { ISO14443A RFIDs... }
14b              { ISO14443B RFIDs... }
15              { ISO15693 RFIDs... }
epa              { German Identification Card... }
legic            { LEGIC RFIDs... }
iclass          { ICLASS RFIDs... }
mf              { MIFARE RFIDs... }
mfu              { MIFARE Ultralight RFIDs... }
mfp              { MIFARE Plus RFIDs... }
topaz            { TOPAZ (NFC Type 1) RFIDs... }
fido            { FIDO and FIDO2 authenticators... }
tune            Continuously measure HF antenna tuning
list            List protocol data in trace buffer
plot            Plot signal
search          Search for known HF tags [preliminary]
snoop            <samples to skip (10000)> <triggers to skip (1)> Generic HF Snoop


1. Insert your Proxmark and run
Must of these group together different smart card manufactures. On the other hand 14a is a NFC card standard that describes low level communication of smart cards. Not all follow the same standard and some implement proprietary protocols. The Mifare cards are built upon the 14a standard and has additional commands which can be found in their specific directory.


  system_profiler SPUSBDataType
You usually start with the '''hf search''' command. It sends the card some data and analyses the return messages of the smart card. With this information it can make assumptions on what kind of card it may be.


2.a) If your Proxmark is CDC you should somewhere see in the output:
proxmark3> hf search
UID : 01 02 03 04
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search


  Product ID: 0x504d
Here we see that this card is classified as a Mifare Classic 1k. In particularly it also answers back to the Chinese magic backdoor command which tells us that this card is a clone card which allows us to change the UID block of the card. More on this can be found in the Documentation [[Proxmark3: FH-Campus Card NFC Security Valuation]]
  Vendor ID: 0x2d2d


2.b) If your Proxmark is an HID device you should see:
We can now issue the '''hf plot''' command which will display a waveform with the just sent and received data.


  Product ID: 0x4b8f
[[File:Example.jpg]]
  Vendor ID: 0x9ac4


If it is an HID Device you will need to upgrade it, then go to "Upgrading my Proxmark HID->CDC"
Thankfully people wrote programs that will parse this data a dedicated protocol ('''hf list'''). In this case we want to parse it as a Mifare classic communication with '''hf list mf'''.
If you have an CDC Proxmark you can jump to "Finish Line"


=== Upgrading my Proxmark HID->CDC ===
proxmark3> hf list mf
Recorded Activity (TraceLen = 156 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate
      Start |        End | Src | Data (! denotes parity error, ' denotes short bytes)            | CRC | Annotation        |
-----------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
          0 |        992 | Rdr | 40'                                                            |    | MAGIC WUPC1
      2484 |      3060 | Tag | 0a'                                                            |    |
      7040 |      8352 | Rdr | 43                                                              |    | MAGIC WUPC2
      9524 |      10100 | Tag | 0a'                                                            |    |
      14080 |      18848 | Rdr | 50  00  57  cd                                                  |  ok | HALT
          0 |        992 | Rdr | 52'                                                            |    | WUPA
      2228 |      4596 | Tag | 04  00                                                          |    |
      7040 |      9504 | Rdr | 93  20                                                          |    | ANTICOLL
      10676 |      16564 | Tag | 01  02  03  04  04                                              |    |
      19328 |      29856 | Rdr | 93  70  01  02  03  04  04  8e  25                              |  ok | SELECT_UID
      31028 |      34548 | Tag | 08  b6  dd                                                      |    |
      47488 |      52192 | Rdr | 60  00  f5  7b                                                  |  ok | AUTH-A(0)
      54196 |      58932 | Tag | 01  20  01  45                                                  |    | AUTH: nt


1. Compile the bootrom, OS and software:
... to be continued


  make clean; make


2. Also compile the HID compatible flash program:
Furthermore, when in the main menu (which we are after connecting to the Proxmark3) you should distinguish between Low-Frequency (LF) and High-Frequency (HF) tags (the exact meaning is further detailed in our documentation). Therefore the commands are split into hf and lf commands. If you have a Mifare card, they are typically HF cards. Try it by holding the card near your reader and type:


  cd client/hid-flasher;make
> hf search


3. Disconnect Apple's HID driver, by installing a dummy kernel driver:
HF search is a supposedly easy command, though it holds a lot of background information which is essential for successful NFC hacking. By now you should see an output which looks similar to this:


  sudo make install_kext
  > hf search
  sudo kextcache -system-caches
  UID  : 12 34 56 78
  ATQA : 00 04
  SAK  : 20 [1]
  TYPE : NXP MIFARE XX


4. Keep the Proxmark button pressed while reconnecting it to USB. Its yellow and red lights should light up (you can release the button after 5-ish seconds).


5. Now upgrade the bootrom:
== Used Hardware ==


  ./flasher -b ../../bootrom/obj/bootrom.elf
[https://wiki.elvis.science/index.php?title=Proxmark_3 Proxmark3]


6. cd ../..
== Additional Documentation ==


7. Disconnect your proxmark and keep the button pressed while reconnecting to USB.
* [[Proxmark3: Installation]]


8. While keeping the button pressed run to get the device name:
== References ==
 
  ls /dev/cu*
 
You should find a name like "/dev/cu.usbmodem####" (#### represents a number).
 
9. While still KEEPING PRESSED the button update the FPGA and its OS:
 
  ./client/flasher /dev/cu.usbmodem#### armsrc/obj/fullimage.elf
 
10. Disconnect the proxmark and release the button.
 
11. Now reconnect your proxmark to USB and run it:
 
  cd proxmark3/client
  ./proxmark3 /dev/cu.usbmodem####
 
No need to go to "Finish Line", you are already finished with setting up the Proxmark Environment
 
=== Finish Line ===
 
1. Compile the bootrom and OS:
 
  make clean; make
 
2. Disconnect your Proxmark from USB. Then keep the button pressed while reconnecting it back to USB. You can release the button when you see yellow/orange and red lights on your proxmark. (If you have an Elechouse v2 Proxmark3 or Elechouse v3 Proxmark3 Easy you do not need to press the button)
 
3. Figure out your device name:
 
  ls /dev/cu*
 
It should be something with /dev/cu.usbmodem#### (#### represents a number).
 
4. After you have found your device run the program:
 
  cd proxmark3/client
  ./proxmark3 /dev/cu.usbmodem####
 
== Linux installation ==
 
=== Requirements ===
 
* Operating system: Ubuntu 16.04 trusty amd64
 
=== Step 1 Compile resources:===


1. download and install some needed packages and libs
* https://github.com/Proxmark/proxmark3
 
* https://github.com/iceman1001/proxmark3
  sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib
 
2. clone proxmark3 git repository
 
  git clone https://github.com/proxmark/proxmark3.git
 
3. enter repo
 
  cd proxmark3
 
4. get newest version
 
  git pull
  git checkout v3.1.0      # important git checkout latest stable version!!
 
5. Install the blacklist rules
 
  sudo cp -rf driver/77-mm-usb-device-blacklist.rules /etc/udev/rules.d/77-mm-usb-device-blacklist.rules
  sudo udevadm control --reload-rules
 
6. add current user to group
 
  sudo adduser $USER dialout
 
7. compile proxmark3
 
  make clean && make all
 
 
=== Step 2 Identify  proxmark3 device ===
 
  dmesg | grep -i usb
  [ 9704.503904] usb 1-3: Manufacturer: proxmark.org
  [ 9704.539638] cdc_acm 1-3:1.0: ttyACM0: USB ACM device
 
=== Step 3 Flash the firmware of the proxmark ===
 
  client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
 
if it does not succeed at first glance log out your user and log in again, this worked for me!!
 
== Windows installation ==
 
=== Requirements ===
The tested Version for Windows was Windows 10, therefore the requirements for successfully completing our installation guide are:
* Windows 10
* [https://git-scm.com/download/win Git for Windows]
 
=== Installation ===
In order to be able to connect to your Proxmark3 under Windows you need to emulate a Linux environment which is done through a tool called ProxSpace.
 
1. First you need to download the download the ProxSpace Repository through git.
'''Caution!''' Your current working directory should contain no whitespaces!
 
  git clone https://github.com/Gator96100/ProxSpace.git
 
2. Inside your ProxSpace Folder you should find "runme.bat". Start it.
 
3. This will create and install all necessary packets and folders. After you should see the pm3-console.
 
4. From this console you should change the directory to ProxSpace and download the Proxmark3 Repository:
 
  cd ProxSpace
  git clone https://github.com/Proxmark/proxmark3.git
 
5. After this process is complete, cd to the proxmark3 directory:
 
  cd proxmark3
 
6. Compile the proxmark3 project:
 
  make clean && make all
 
7. Install the proxmark3 driver
 
Since this driver is not officially signed by a trusted authority the installation is a bit tricky. You first must start Windows in save-mode. This is done easiest, when the sift-key is pressed while restarting your PC. On reboot you choose Startup-Settings followed by #7 Disable driver signature enforcement.
After the computer started up you connect the proxmark3 and go to the device manager, right click on the non-identified device (which is the proxmark3) and go to the settings. Click on update driver and search locally for the proxmark3.inf. If you have trouble getting the proxmark3 driver to work, please visit this [[https://store.ryscc.com/blogs/news/how-to-install-a-proxmark3-driver-on-windows-10 picture-guided tutorial]]
 
After, the installation should be complete and you can safely restart your PC to normal mode again. From there start the runme.bat and the pm3-console should appear.
 
=== Update your Proxmark3 ===
 
To update the firmware of your Proxmark3 to the latest version, open cmd and type in (with x standing for the right number of your COM port, e.g. COM2):
 
  ./proxmark/client/flasher COMx -b /bootrom/obj/bootrom.elf
  ./proxmark/client/flasher COMX ./armsrc/obj/fullimage.elf
 
=== Connecting to your Proxmark3 ===
 
After having done all the steps above you can safely connect to your Proxmark3 through (where x again stands for the right number of your COM port, e.g. COM2):
 
  ./client/proxmark3.exe COMx
 
== Usage ==
 
For using the Proxmark3 please visit our second documentation [[NFC Hacking Proxmark3]] and feel free to have a look at the [https://github.com/Proxmark/proxmark3 official repository]!
 
== Resources and Tutorials ==
 
* Client commands: https://github.com/Proxmark/proxmark3/wiki/commands
* Usage example: https://www.youtube.com/watch?v=FODGYfhqb4Q
* Basic tutorial for RFID usage: https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
* Advanced tutorial: https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
* Capture NFC traffic of apple pay transaction: https://salmg.net/2017/12/29/analyzing-an-apple-pay-transaction-with-proxmark3/
 
== Used Hardware ==
 
[[Proxmark 3]]
 
== References ==
* Product page and infos: https://www.elechouse.com/elechouse/index.php?main_page=product_info&cPath=90_93&products_id=2264&zenid=kmvhiob7nq1orc4pfjtf53sbr7
* Manual: https://www.elechouse.com/elechouse/images/product/proxmark3_V2/Proxmark3%20V2%20User%20Guid.pdf
* MacOS 10.x client installation: https://github.com/Proxmark/proxmark3/wiki/MacOS
* Linux 16.04 client installation: https://github.com/Proxmark/proxmark3/wiki/Ubuntu-Linux
* Windows 10 client installation: https://github.com/Proxmark/proxmark3/wiki/Windows


[[Category:Documentation]]
[[Category:Documentation]]

Revision as of 11:45, 22 July 2019

Authors

  • Ostrowski, John
  • Arseven, Can

Summary

"NFC Hacking with Proxmark3" has been conducted during a school project, in which we analyzed the implementation of our NFC System. Which includes our on-campus cards, the printing system, snacks and drinks machines and the classroom doors. The additional output of this project was a (tested) guide on how to install the Proxmark3. For further details with regards to our project, concrete tests and more advanced commands please see our documentation Proxmark3: FH-Campus Card NFC Security Valuation.

In this thread we show a short overview of the different commands the proxmark3 environment has to offer.

Requirements

Please see the Proxmark3: Installation guide for a full overview of requirements. However, the Operating systems on which we tested the installation on are:

  • Ubuntu 16.04/18.03
  • Windows 10
  • MacOS 10.x

In order to complete the "Introduction" described below, you have to complete the Proxmark3: Installation guide first.

These overview is based on the proxmark3 client, published on Github on the 29. May 2019

Introduction

This introduction should only give you a glimpse of the available commands and possibilities of the Proxmark3. The official Proxmark3-Repository as well as the more advanced Ice-Man-Fork Repository (both linked in the reference section) provide lots of functions, though most of them are still in their alpha stage and therefore still need a bit of tinkering in order to work well. For further commands and our security analysis of our university feel free to have a look at our documentation!

The Commands

After you have successfully completed the Install Proxmark3 guide, you should see a screen similar to this when connecting to your proxmark3: 

proxmark3>

You can always (in whichever menu you are) type 'help' in order to have a full list of available commands in that menu. If you enter help in the start menu, you will get following output: 

help             This help. Use '<command> help' for details of a particular command.
data             { Plot window / data buffer manipulation... }
hf               { High Frequency commands... }
hw               { Hardware commands... }
lf               { Low Frequency commands... }
emv              { EMV iso14443 and iso7816... }
sc               { Smartcard commands... }
script           { Scripting commands }
quit             Exit program
exit             Exit program

hw

hw stands for hardware and lists a bunch of commands to get basic hardware information of the Proxmark3. 

detectreader     ['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF)
fpgaoff          Set FPGA off
lcd              <HEX command> <count> -- Send command/data to LCD
lcdreset         Hardware reset LCD
readmem          [address] -- Read memory at decimal address from flash
reset            Reset the Proxmark3
setlfdivisor     <19 - 255> -- Drive LF antenna at 12Mhz/(divisor+1)
setmux           <loraw|hiraw|lopkd|hipkd> -- Set the ADC mux to a specific value
tune             ['l'|'h'] -- Measure antenna tuning (option 'l' or 'h' to limit to LF or HF)
version          Show version information about the connected Proxmark
status           Show runtime status information about the connected Proxmark
ping             Test if the pm3 is responsive

We can check the version of the different builds of the Proxmark3 currently running on it: 

proxmark3> hw version
Prox/RFID mark3 RFID instrument
bootrom: master/v3.1.0-94-gd38bb3a-dirty-suspect 2019-06-01 14:36:05
os: master/v3.1.0-94-gd38bb3a-dirty-suspect 2019-06-01 14:36:22
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07

We can now check the antenna strength of the attached antennas. If you have borrowed the proxmark3 of the Elvis IoT Lab you will get following output

(If no smart card is in proximity): 

proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 43.86 V @   125.00 kHz
# LF antenna: 21.04 V @   134.00 kHz
# LF optimal: 44.14 V @   123.71 kHz
# HF antenna: 30.41 V @    13.56 MHz

If we now lay a NFC card on the antennas the voltages changes: 

proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 44.27 V @   125.00 kHz
# LF antenna: 21.04 V @   134.00 kHz
# LF optimal: 44.27 V @   123.71 kHz
# HF antenna: *19.39 V* @    13.56 MHz

We can see, that the voltage of the HF antenna dropped from 30 volts to about 19 volts. We can assume that the placed NFC card is a high frequency card.

hf

hf stands for high frequency, which are specified at a carrier frequency of about 13.56 MHz. Possible commands that can be issued: 

proxmark3> hf
14a              { ISO14443A RFIDs... }
14b              { ISO14443B RFIDs... }
15               { ISO15693 RFIDs... }
epa              { German Identification Card... }
legic            { LEGIC RFIDs... }
iclass           { ICLASS RFIDs... }
mf               { MIFARE RFIDs... }
mfu              { MIFARE Ultralight RFIDs... }
mfp              { MIFARE Plus RFIDs... }
topaz            { TOPAZ (NFC Type 1) RFIDs... }
fido             { FIDO and FIDO2 authenticators... }
tune             Continuously measure HF antenna tuning
list             List protocol data in trace buffer
plot             Plot signal
search           Search for known HF tags [preliminary]
snoop            <samples to skip (10000)> <triggers to skip (1)> Generic HF Snoop

Must of these group together different smart card manufactures. On the other hand 14a is a NFC card standard that describes low level communication of smart cards. Not all follow the same standard and some implement proprietary protocols. The Mifare cards are built upon the 14a standard and has additional commands which can be found in their specific directory.

You usually start with the hf search command. It sends the card some data and analyses the return messages of the smart card. With this information it can make assumptions on what kind of card it may be. 

proxmark3> hf search
UID : 01 02 03 04
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
Valid ISO14443A Tag Found - Quiting Search

Here we see that this card is classified as a Mifare Classic 1k. In particularly it also answers back to the Chinese magic backdoor command which tells us that this card is a clone card which allows us to change the UID block of the card. More on this can be found in the Documentation Proxmark3: FH-Campus Card NFC Security Valuation

We can now issue the hf plot command which will display a waveform with the just sent and received data.

Example.jpg

Thankfully people wrote programs that will parse this data a dedicated protocol (hf list). In this case we want to parse it as a Mifare classic communication with hf list mf. 

proxmark3> hf list mf
Recorded Activity (TraceLen = 156 bytes)
Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer
iso14443a - All times are in carrier periods (1/13.56Mhz)
iClass    - Timings are not as accurate
     Start |        End | Src | Data (! denotes parity error, ' denotes short bytes)            | CRC | Annotation         |
-----------|------------|-----|-----------------------------------------------------------------|-----|--------------------|
         0 |        992 | Rdr | 40'                                                             |     | MAGIC WUPC1
      2484 |       3060 | Tag | 0a'                                                             |     |
      7040 |       8352 | Rdr | 43                                                              |     | MAGIC WUPC2
      9524 |      10100 | Tag | 0a'                                                             |     |
     14080 |      18848 | Rdr | 50  00  57  cd                                                  |  ok | HALT
         0 |        992 | Rdr | 52'                                                             |     | WUPA
      2228 |       4596 | Tag | 04  00                                                          |     |
      7040 |       9504 | Rdr | 93  20                                                          |     | ANTICOLL
     10676 |      16564 | Tag | 01  02  03  04  04                                              |     |
     19328 |      29856 | Rdr | 93  70  01  02  03  04  04  8e  25                              |  ok | SELECT_UID
     31028 |      34548 | Tag | 08  b6  dd                                                      |     |
     47488 |      52192 | Rdr | 60  00  f5  7b                                                  |  ok | AUTH-A(0)
     54196 |      58932 | Tag | 01  20  01  45                                                  |     | AUTH: nt

... to be continued


Furthermore, when in the main menu (which we are after connecting to the Proxmark3) you should distinguish between Low-Frequency (LF) and High-Frequency (HF) tags (the exact meaning is further detailed in our documentation). Therefore the commands are split into hf and lf commands. If you have a Mifare card, they are typically HF cards. Try it by holding the card near your reader and type: 

> hf search

HF search is a supposedly easy command, though it holds a lot of background information which is essential for successful NFC hacking. By now you should see an output which looks similar to this: 

 > hf search
 UID  : 12 34 56 78
 ATQA : 00 04
 SAK  : 20 [1]
 TYPE : NXP MIFARE XX


Used Hardware

Proxmark3

Additional Documentation

References

Retrieved from "https://wiki.elvis.science/index.php?title=Proxmark3:_Installation&oldid=1608"