Proxmark3: Useful commands
Authors
- Ostrowski, John
- Arseven, Can
Summary
"NFC Hacking with Proxmark3" has been conducted during a school project, in which we analyzed the implementation of our NFC System. Which includes our on-campus cards, the printing system, snacks and drinks machines and the classroom doors. The additional output of this project was a (tested) guide on how to install the Proxmark3. For further details with regards to our project, concrete tests and more advanced commands please see our documentation Proxmark3: FH-Campus Card NFC Security Valuation.
In this thread we show a short overview of the different commands the proxmark3 environment has to offer.
Requirements
Please see the Proxmark3: Installation guide for a full overview of requirements. However, the Operating systems on which we tested the installation on are:
- Ubuntu 16.04/18.03
- Windows 10
- MacOS 10.x
In order to complete the "Introduction" described below, you have to complete the Proxmark3: Installation guide first.
These overview is based on the proxmark3 client, published on Github on the 29. May 2019
Introduction
This introduction should only give you a glimpse of the available commands and possibilities of the Proxmark3. The official Proxmark3-Repository as well as the more advanced Ice-Man-Fork Repository (both linked in the reference section) provide lots of functions, though most of them are still in their alpha stage and therefore still need a bit of tinkering in order to work well. For further commands and our security analysis of our university feel free to have a look at our documentation!
The Commands
After you have successfully completed the Install Proxmark3 guide, you should see a screen similar to this when connecting to your proxmark3:
proxmark3>
You can always (in whichever menu you are) type 'help' in order to have a full list of available commands in that menu. If you enter help in the start menu, you will get following output:
help This help. Use '<command> help' for details of a particular command.
data { Plot window / data buffer manipulation... }
hf { High Frequency commands... }
hw { Hardware commands... }
lf { Low Frequency commands... }
emv { EMV iso14443 and iso7816... }
sc { Smartcard commands... }
script { Scripting commands }
quit Exit program
exit Exit program
hw
hw stands for hardware and lists a bunch of commands to get basic hardware information of the Proxmark3.
detectreader ['l'|'h'] -- Detect external reader field (option 'l' or 'h' to limit to LF or HF) fpgaoff Set FPGA off lcd <HEX command> <count> -- Send command/data to LCD lcdreset Hardware reset LCD readmem [address] -- Read memory at decimal address from flash reset Reset the Proxmark3 setlfdivisor <19 - 255> -- Drive LF antenna at 12Mhz/(divisor+1) setmux <loraw|hiraw|lopkd|hipkd> -- Set the ADC mux to a specific value tune ['l'|'h'] -- Measure antenna tuning (option 'l' or 'h' to limit to LF or HF) version Show version information about the connected Proxmark status Show runtime status information about the connected Proxmark ping Test if the pm3 is responsive
We can check the version of the different builds of the Proxmark3 currently running on it:
proxmark3> hw version Prox/RFID mark3 RFID instrument bootrom: master/v3.1.0-94-gd38bb3a-dirty-suspect 2019-06-01 14:36:05 os: master/v3.1.0-94-gd38bb3a-dirty-suspect 2019-06-01 14:36:22 fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04 fpga_hf.bit built for 2s30vq100 on 2019/03/20 at 08:08:07
We can now check the antenna strength of the attached antennas. If you have borrowed the proxmark3 of the Elvis IoT Lab you will get following output
(If no smart card is in proximity):
proxmark3> hw tune Measuring antenna characteristics, please wait......... # LF antenna: 43.86 V @ 125.00 kHz # LF antenna: 21.04 V @ 134.00 kHz # LF optimal: 44.14 V @ 123.71 kHz # HF antenna: 30.41 V @ 13.56 MHz
If we now lay a NFC card on the antennas the voltages changes:
proxmark3> hw tune Measuring antenna characteristics, please wait......... # LF antenna: 44.27 V @ 125.00 kHz # LF antenna: 21.04 V @ 134.00 kHz # LF optimal: 44.27 V @ 123.71 kHz # HF antenna: ***19.39 V*** @ 13.56 MHz
We can see, that the voltage of the HF antenna dropped from 30 volts to about 19 volts. We can assume that the placed NFC card is a high frequency card.
... to be continued
Furthermore, when in the main menu (which we are after connecting to the Proxmark3) you should distinguish between Low-Frequency (LF) and High-Frequency (HF) tags (the exact meaning is further detailed in our documentation). Therefore the commands are split into hf and lf commands. If you have a Mifare card, they are typically HF cards. Try it by holding the card near your reader and type:
> hf search
HF search is a supposedly easy command, though it holds a lot of background information which is essential for successful NFC hacking. By now you should see an output which looks similar to this:
> hf search UID : 12 34 56 78 ATQA : 00 04 SAK : 20 [1] TYPE : NXP MIFARE XX