Proxmark3 RDV4

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Proxmark3 RDV4

The Proxmark is an RFID swiss-army tool, allowing for both high and low-level interactions with the vast majority of RFID/NFC tags and systems worldwide (proxmark.com).

The Proxmark3 Dev Kit 4 (RDV4) is more compact and portable than the older versions and brings various improvements to the open-source design. Antennas are highly customizable and there is a new multifunction multiplexing interface to support additional components such as external battery, external active high powered antenna, Bluetooth interfaces and SIM/Smart card reader (hackerwarehouse.com).

This write-up concentrates on the improvements of the RDV4 over the RDV2 and will not cover the basic operations. For more, please visit Proxmark3: Useful commands or Proxmark3: FH-Campus Card NFC Security Valuation

Requirements

  • Proxmark3 RDV4

To use the Bluetooth module & for new features of the RDV4 use the new new repository

Setting-up & compiling are explained in the original documentation

For a quick introduction to the default commands please visit: Proxmark3: Useful commands

Smart Card

Hidden under the lid of the Proxmark RDV4 you can find a smart card reader. You can directly insert a smartcard directly into to the slot or insert it into the optional smartcard extender, which allows for card size formats.

Proxmark with the smartcard extender

For more information on reading and writing to smartcards please visit the follow-up post Proxmark3 RDV4: SmartCard

Bluetooth Module

With the Blue-Shark Module it is now possible to wirelessly communicate with the Proxmark RDV4!

Installation

  • 1. Remove the antenna cover and use the plastic prying tool to open the case.
  • 2. Remove the six screws of the antenna.
  • 3. Connect the Bluetooth cable to the Proxmark by first opening the black hinge of the ribbon cable.
  • 4. Insert the ribbon cable into the connector and close the hinge again.
  • 5. Remove the blue tape on the Bluetooth module.
  • 6. Push the module onto the Proxmark.
  • 7. Connect the antenna to the Proxmark and add the cover of the antenna.

To enable this feature you need to install the newest RfidResearchGroup/proxmark3 repo and enable the Bluetooth setting in the makefile: the instructions are based on Blue Shark Installation

Linux installation

Preperation
  • Update system:
sudo apt-get update
  • Install requirements:
sudo apt-get install --no-install-recommends git ca-certificates build-essential pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev
  • On Linux you have to make shure you remove of disable the ModemManager (this is usally pre-installed to interact with (2G,3G,4G) devices.
  • Remove ModemManager
sudo apt remove modemmanager
  • Download repostiory:
git clone https://github.com/RfidResearchGroup/proxmark3.git
  • cd into repo
cd proxmark3
  • Or update to the newest version:
git pull
Compile source code
  • Enable Bluetooth module
cp Makefile.platform.sample Makefile.platform
nano Makefile.platform
And uncomment the line #PLATFORM_EXTRAS=BTADDON by removing the # & save changes by pressing ctrl+x
  • Compile source code
make clean; make -j8
sudo make install
  • Add access rights
make accessrights
Now log off and log on again.
  • Connect the Proxmark3 to the computer
  • Flash the firmware
./pm3-flash-bootrom
./pm3-flash-all
Connect wirelessly to the Proxmark
  • Turn on the Bluetooth module (both switches to on)
  • Find MAC address
sudo hcitool scan
Scanning ...
 aa:bb:cc:dd:ee:ff PM3_RDV4.0
  • Bind your BT add-on MAC address to a serial port
sudo rfcomm bind rfcomm0 aa:bb:cc:dd:ee:ff
  • If connecting the first time:
bluetoothctl
[bluetooth]# pairable on
[bluetooth]# scan on
Discovery started
...
[CHG] Device aa:bb:cc:dd:ee:ff Name: PM3_RDV4.0
[bluetooth]# trust aa:bb:cc:dd:ee:ff
[bluetooth]# pair aa:bb:cc:dd:ee:ff
[agent] Enter PIN code: 1234
[bluetooth]# quit
  • Else, open the Proxmark client
proxmark3 /dev/rfcomm0
Now the Proxmark LED should stop blinking and turn solid blue. THe Proxmark client should show the default interface.

Antennas

The Proxmark3 RDV4 optionally ships with high-frequency (hf) and low-frequency (lf) antenna kits. They include a medium and long-range antenna. The following will show the differences between them.

High-Frequecy Antenna Kit

The hf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store lab401 says the range of the default antenna is about 40-85mm, medium-range antenna about 90mm, and the long-range has a reach of 100-120mm. A small test of mine concludes that this statement is only partially true.

  • Default HF-Antenna
  • Medium-Range HF-Antenna
  • Long-Range HF-Antenna

I tested the range of 4 different cards:

  • Card 1: HF-Card shipped with the RDV4: NXP MIFARE CLASSIC 1k Gen1A S50
  • Card 2: Student-Card: NXP MIFARE DESFire 4k
  • Card 3: Portugal, Proto MetroCard: Ultralight EV1 48bytes (MF0UL1101)
  • Card 4: SkiData Card: EM-Marin SA (Skidata); EM4233
(!)  denotes that the readings were inconsistent:
     The card only got recognized from time to time
(!!) denotes that the readings were very inconsistent:
     Only if lucky the card got recognized
/    denotes that the card got not read at all
Card Default-Antenna Medium-Range Antenna Long-Range Antenna
Shipped HF-Card 8 cm (!!) 0 cm (!!) 2 cm
Student-Card 5 cm (!) 0 cm (!) 7 cm
Metro-Card 8 cm / (!) 11 cm
SkiData-Card 7 cm 7 cm 11 cm

The results show that the antenna reach depends heavily on the card trying to read. The most consistent results came from the default-antenna that ships with the RDV4. As shown, the optional antennas did cope with the NXP Mifare cards very poorly but show improvements for the SkiData card.

Low-Frequency Antenna Kit

Sadly I do not have any lf-cards on hand and could not test the range of the given antennas.

The lf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store lab401 says the range of the default antenna is about 66 - 72mm, medium-range antenna about 90mm, and the long-range has a reach of 110 - 133mm. But as shown above, for the hf-antenna this depends heavily on the lf-card itself.

  • Medium-Range LF-Antenna
  • Long-Range LF-Antenna
  • LF-Antenna Switch

The optional antennas come with 2 switches: (source: lab401)

Q-Switch
The Q-Switch has two settings: 14 (Extended Range) and 7 (Extended Accuracy).
Q-Switch setting of 14 will give up to 30% further read range (on lf search / lf hid read etc commands).
Q-Switch setting of 7 will give better writing performance on T55XX and EM410XX tags.
Frequency Switch
The frequency switch allows for tuning to specific tag types: 125KHz or 134KHz.

Used Hardware

Proxmark3 RDV4 Kit

Proxmark3 RDV4.0 BT & Battery Addon Blue Shark

Proxmark3 RDV4.0 HF Antennas

Proxmark3 RDV4.0 LF Antennas

References