Difference between revisions of "Proxmark3 RDV4"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
(Created page with "== Summary == Description what this documentation is about == Requirements == * Operating system: Ubuntu 18.04 bionic amd64 * Packages: git emacs In order to complete the...")
 
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Summary ==  
== Summary ==  


Description what this documentation is about
[[File:Prox no case size.jpg|thumb|500px|Proxmark3 RDV4]]
 
The Proxmark is an RFID swiss-army tool, allowing for both high and low-level interactions with the vast majority of RFID/NFC tags and systems worldwide (proxmark.com).
 
The Proxmark3 Dev Kit 4 (RDV4) is more compact and portable than the older versions and brings various improvements to the open-source design. Antennas are highly customizable and there is a new multifunction multiplexing interface to support additional components such as external battery, external active high powered antenna, Bluetooth interfaces and SIM/Smart card reader (hackerwarehouse.com).
 
This write-up concentrates on the improvements of the RDV4 over the RDV2 and will not cover the basic operations. For more, please visit [[Proxmark3: Useful commands]] or [[Proxmark3: FH-Campus Card NFC Security Valuation]]


== Requirements ==
== Requirements ==


* Operating system: Ubuntu 18.04 bionic amd64
* Proxmark3 RDV4
* Packages: git emacs
 
To use the Bluetooth module & for new features of the RDV4 use the new [https://github.com/RfidResearchGroup/proxmark3.git new repository]
 
Setting-up & compiling are explained in the [https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/md/Installation_Instructions/Linux-Installation-Instructions.md original documentation]
 
For a quick introduction to the default commands please visit: [[Proxmark3: Useful commands]]
 
== Smart Card ==
 
Hidden under the lid of the Proxmark RDV4 you can find a smart card reader. You can directly insert a smartcard directly into to the slot or insert it into the optional smartcard extender, which allows for card size formats.
 
[[File:Prox smartcard.jpg|800px|Proxmark with the smartcard extender]]
 
For more information on reading and writing to smartcards please visit the follow-up post [[Proxmark3 RDV4: SmartCard]]


In order to complete these steps, you must have followed [[Some Other Documentation]] before.
== Bluetooth Module ==


== Description ==
With the Blue-Shark Module it is now possible to wirelessly communicate with the Proxmark RDV4!


=== Step 1 ===
=== Installation ===


Enter these commands in the shell
<div><ul>
<li style="display: inline-block;"> [[File:Prox open case.jpg|thumb|none|x300px|1. Remove the antenna cover and use the plastic prying tool to open the case.]] </li>
<li style="display: inline-block;"> [[File:Prox remove antenna.jpg|thumb|none|x300px|2. Remove the six screws of the antenna.]] </li>
<li style="display: inline-block;"> [[File:Prox bt cable.jpg|thumb|none|x300px|3. Connect the Bluetooth cable to the Proxmark by first opening the black hinge of the ribbon cable.]] </li>
<li style="display: inline-block;"> [[File:Prox bt cable2.jpg|thumb|none|x300px|4. Insert the ribbon cable into the connector and close the hinge again.]] </li>
<li style="display: inline-block;"> [[File:Prox bt.jpg|thumb|none|x300px|5. Remove the blue tape on the Bluetooth module.]] </li>
<li style="display: inline-block;"> [[File:Prox bt2.jpg|thumb|none|x300px|6. Push the module onto the Proxmark.]] </li>
<li style="display: inline-block;"> [[File:Prox bt3.jpg|thumb|none|x300px|7. Connect the antenna to the Proxmark and add the cover of the antenna.]]</li>
</ul></div>


  echo foo
To enable this feature you need to install the newest RfidResearchGroup/proxmark3 repo and enable the Bluetooth setting in the makefile: the instructions are based on [https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/bt_manual_v10.md Blue Shark Installation]
echo bar


=== Step 2 ===
=== Linux installation ===  


Make sure to read
; Preperation
* Update system:
: <code>sudo apt-get update</code>
* Install requirements:
: <code>sudo apt-get install --no-install-recommends git ca-certificates build-essential pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev</code>
* On Linux you have to make shure you remove of disable the ModemManager (this is usally pre-installed to interact with (2G,3G,4G) devices.
* Remove ModemManager
: <code>sudo apt remove modemmanager</code>
* Download repostiory:
: <code>git clone https://github.com/RfidResearchGroup/proxmark3.git</code>
* cd into repo
: <code>cd proxmark3</code>
* Or update to the newest version:
: <code>git pull</code>
; Compile source code
* Enable Bluetooth module
: <code>cp  Makefile.platform.sample Makefile.platform</code>
: <code>nano Makefile.platform</code>
: And uncomment the line <code>#PLATFORM_EXTRAS=BTADDON</code> by removing the <code>#</code> & save changes by pressing <code>ctrl+x</code>
* Compile source code
: <code>make clean; make -j8</code>
: <code>sudo make install</code>
* Add access rights
: <code>make accessrights</code>
: Now log off and log on again.
* Connect the Proxmark3 to the computer
* Flash the firmware
: <code>./pm3-flash-bootrom</code>
: <code>./pm3-flash-all</code>
; Connect wirelessly to the Proxmark
* Turn on the Bluetooth module (both switches to on)
* Find MAC address
sudo hcitool scan
Scanning ...
  aa:bb:cc:dd:ee:ff PM3_RDV4.0
* Bind your BT add-on MAC address to a serial port
: <code>sudo rfcomm bind rfcomm0 aa:bb:cc:dd:ee:ff</code>
* If connecting the first time:
bluetoothctl
[bluetooth]# pairable on
[bluetooth]# scan on
Discovery started
...
[CHG] Device aa:bb:cc:dd:ee:ff Name: PM3_RDV4.0
[bluetooth]# trust aa:bb:cc:dd:ee:ff
[bluetooth]# pair aa:bb:cc:dd:ee:ff
[agent] Enter PIN code: 1234
[bluetooth]# quit
* Else, open the Proxmark client
: <code>proxmark3 /dev/rfcomm0</code>
: Now the Proxmark LED should stop blinking and turn solid blue. THe Proxmark client should show the default interface.


* War and Peace
== Antennas ==
* Lord of the Rings
 
* The Baroque Cycle
The Proxmark3 RDV4 optionally ships with high-frequency (hf) and low-frequency (lf) antenna kits. They include a medium and long-range antenna. The following will show the differences between them.
 
=== High-Frequecy Antenna Kit ===
 
The hf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store [https://lab401.com/products/proxmark-3-rdv4-long-range-hf-antenna-1 lab401] says the range of the default antenna is about 40-85mm, medium-range antenna about 90mm, and the long-range has a reach of 100-120mm. A small test of mine concludes that this statement is only partially true.
 
<div><ul>
<li style="display: inline-block;"> [[File:Prox hf normal.jpg|thumb|none|x300px|Default HF-Antenna]] </li>
<li style="display: inline-block;"> [[File:Prox hf med.jpg|thumb|none|x300px|Medium-Range HF-Antenna]] </li>
<li style="display: inline-block;"> [[File:Prox hf long.jpg|thumb|none|x300px|Long-Range HF-Antenna]] </li>
</ul></div>
 
I tested the range of 4 different cards:
 
* Card 1: HF-Card shipped with the RDV4: NXP MIFARE CLASSIC 1k Gen1A S50
* Card 2: Student-Card: NXP MIFARE DESFire 4k
* Card 3: Portugal, Proto MetroCard:  Ultralight EV1 48bytes (MF0UL1101)
* Card 4: SkiData Card: EM-Marin SA (Skidata); EM4233
 
(!)  denotes that the readings were inconsistent:
      The card only got recognized from time to time
(!!) denotes that the readings were '''very''' inconsistent:
      Only if lucky the card got recognized
/    denotes that the card got not read at all
 
{| class="wikitable"
|-
! scope="col" | Card
! scope="col" | Default-Antenna
! scope="col" | Medium-Range Antenna
! scope="col" | Long-Range Antenna
|-
! scope="row" | Shipped HF-Card
| 8 cm
| (!!) 0 cm
| (!!) 2 cm
|-
! scope="row" | Student-Card
| 5 cm
| (!) 0 cm
| (!) 7 cm
|-
! scope="row" | Metro-Card
| 8 cm
| /
| (!) 11 cm
|-
! scope="row" | SkiData-Card
| 7 cm
| 7 cm
| 11 cm
|}
 
The results show that the antenna reach depends heavily on the card trying to read. The most consistent results came from the default-antenna that ships with the RDV4. As shown, the optional antennas did cope with the NXP Mifare cards very poorly but show improvements for the SkiData card.
 
=== Low-Frequency Antenna Kit ===
 
Sadly I do not have any lf-cards on hand and could not test the range of the given antennas.
 
The lf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store [https://lab401.com/products/proxmark-3-rdv4-01-long-range-lf-antenna-pack lab401] says the range of the default antenna is about 66 - 72mm, medium-range antenna about 90mm, and the long-range has a reach of 110 - 133mm. But as shown above, for the hf-antenna this depends heavily on the lf-card itself.
 
<div><ul>
<li style="display: inline-block;"> [[File:Prox lf med.jpg|thumb|none|x300px|Medium-Range LF-Antenna]] </li>
<li style="display: inline-block;"> [[File:Prox lf long.jpg|thumb|none|x300px|Long-Range LF-Antenna]] </li>
<li style="display: inline-block;"> [[File:Prox lf switch.jpg|thumb|none|300px|LF-Antenna Switch]] </li>
</ul></div>
 
The optional antennas come with 2 switches: (source: [https://lab401.com/products/proxmark-3-rdv4-01-long-range-lf-antenna-pack lab401])
 
; Q-Switch
: The Q-Switch has two settings: 14 (Extended Range) and 7 (Extended Accuracy).
:: Q-Switch setting of 14 will give up to 30% further read range (on lf search / lf hid read etc commands).
:: Q-Switch setting of 7 will give better writing performance on T55XX and EM410XX tags.
 
; Frequency Switch
: The frequency switch allows for tuning to specific tag types: 125KHz or 134KHz.


== Used Hardware ==
== Used Hardware ==


[[Device to be used with this documentation]]
[[Proxmark3 RDV4 Kit]]
[[Maybe another device to be used with this documentation]]
 
[[Proxmark3 RDV4.0 BT & Battery Addon Blue Shark]]


== Courses ==
[[Proxmark3 RDV4.0 HF Antennas]]


* [[A course where this documentation was used]] (2017, 2018)
[[Proxmark3 RDV4.0 LF Antennas]]
* [[Another one]] (2018)


== References ==
== References ==


* https://wikipedia.org
* https://www.proxmark.com
* https://google.com
* https://www.hackerwarehouse.com
* https://www.lab401.com
* https://github.com/RfidResearchGroup/proxmark3


[[Category:Documentation]]
[[Category:Documentation]]
[[Category:Pentesting]]

Latest revision as of 18:33, 12 March 2024

Summary

Proxmark3 RDV4

The Proxmark is an RFID swiss-army tool, allowing for both high and low-level interactions with the vast majority of RFID/NFC tags and systems worldwide (proxmark.com).

The Proxmark3 Dev Kit 4 (RDV4) is more compact and portable than the older versions and brings various improvements to the open-source design. Antennas are highly customizable and there is a new multifunction multiplexing interface to support additional components such as external battery, external active high powered antenna, Bluetooth interfaces and SIM/Smart card reader (hackerwarehouse.com).

This write-up concentrates on the improvements of the RDV4 over the RDV2 and will not cover the basic operations. For more, please visit Proxmark3: Useful commands or Proxmark3: FH-Campus Card NFC Security Valuation

Requirements

  • Proxmark3 RDV4

To use the Bluetooth module & for new features of the RDV4 use the new new repository

Setting-up & compiling are explained in the original documentation

For a quick introduction to the default commands please visit: Proxmark3: Useful commands

Smart Card

Hidden under the lid of the Proxmark RDV4 you can find a smart card reader. You can directly insert a smartcard directly into to the slot or insert it into the optional smartcard extender, which allows for card size formats.

Proxmark with the smartcard extender

For more information on reading and writing to smartcards please visit the follow-up post Proxmark3 RDV4: SmartCard

Bluetooth Module

With the Blue-Shark Module it is now possible to wirelessly communicate with the Proxmark RDV4!

Installation

  • 1. Remove the antenna cover and use the plastic prying tool to open the case.
  • 2. Remove the six screws of the antenna.
  • 3. Connect the Bluetooth cable to the Proxmark by first opening the black hinge of the ribbon cable.
  • 4. Insert the ribbon cable into the connector and close the hinge again.
  • 5. Remove the blue tape on the Bluetooth module.
  • 6. Push the module onto the Proxmark.
  • 7. Connect the antenna to the Proxmark and add the cover of the antenna.

To enable this feature you need to install the newest RfidResearchGroup/proxmark3 repo and enable the Bluetooth setting in the makefile: the instructions are based on Blue Shark Installation

Linux installation

Preperation
  • Update system:
sudo apt-get update
  • Install requirements:
sudo apt-get install --no-install-recommends git ca-certificates build-essential pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev
  • On Linux you have to make shure you remove of disable the ModemManager (this is usally pre-installed to interact with (2G,3G,4G) devices.
  • Remove ModemManager
sudo apt remove modemmanager
  • Download repostiory:
git clone https://github.com/RfidResearchGroup/proxmark3.git
  • cd into repo
cd proxmark3
  • Or update to the newest version:
git pull
Compile source code
  • Enable Bluetooth module
cp Makefile.platform.sample Makefile.platform
nano Makefile.platform
And uncomment the line #PLATFORM_EXTRAS=BTADDON by removing the # & save changes by pressing ctrl+x
  • Compile source code
make clean; make -j8
sudo make install
  • Add access rights
make accessrights
Now log off and log on again.
  • Connect the Proxmark3 to the computer
  • Flash the firmware
./pm3-flash-bootrom
./pm3-flash-all
Connect wirelessly to the Proxmark
  • Turn on the Bluetooth module (both switches to on)
  • Find MAC address
sudo hcitool scan
Scanning ...
 aa:bb:cc:dd:ee:ff PM3_RDV4.0
  • Bind your BT add-on MAC address to a serial port
sudo rfcomm bind rfcomm0 aa:bb:cc:dd:ee:ff
  • If connecting the first time:
bluetoothctl
[bluetooth]# pairable on
[bluetooth]# scan on
Discovery started
...
[CHG] Device aa:bb:cc:dd:ee:ff Name: PM3_RDV4.0
[bluetooth]# trust aa:bb:cc:dd:ee:ff
[bluetooth]# pair aa:bb:cc:dd:ee:ff
[agent] Enter PIN code: 1234
[bluetooth]# quit
  • Else, open the Proxmark client
proxmark3 /dev/rfcomm0
Now the Proxmark LED should stop blinking and turn solid blue. THe Proxmark client should show the default interface.

Antennas

The Proxmark3 RDV4 optionally ships with high-frequency (hf) and low-frequency (lf) antenna kits. They include a medium and long-range antenna. The following will show the differences between them.

High-Frequecy Antenna Kit

The hf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store lab401 says the range of the default antenna is about 40-85mm, medium-range antenna about 90mm, and the long-range has a reach of 100-120mm. A small test of mine concludes that this statement is only partially true.

  • Default HF-Antenna
  • Medium-Range HF-Antenna
  • Long-Range HF-Antenna

I tested the range of 4 different cards:

  • Card 1: HF-Card shipped with the RDV4: NXP MIFARE CLASSIC 1k Gen1A S50
  • Card 2: Student-Card: NXP MIFARE DESFire 4k
  • Card 3: Portugal, Proto MetroCard: Ultralight EV1 48bytes (MF0UL1101)
  • Card 4: SkiData Card: EM-Marin SA (Skidata); EM4233
(!)  denotes that the readings were inconsistent:
     The card only got recognized from time to time
(!!) denotes that the readings were very inconsistent:
     Only if lucky the card got recognized
/    denotes that the card got not read at all
Card Default-Antenna Medium-Range Antenna Long-Range Antenna
Shipped HF-Card 8 cm (!!) 0 cm (!!) 2 cm
Student-Card 5 cm (!) 0 cm (!) 7 cm
Metro-Card 8 cm / (!) 11 cm
SkiData-Card 7 cm 7 cm 11 cm

The results show that the antenna reach depends heavily on the card trying to read. The most consistent results came from the default-antenna that ships with the RDV4. As shown, the optional antennas did cope with the NXP Mifare cards very poorly but show improvements for the SkiData card.

Low-Frequency Antenna Kit

Sadly I do not have any lf-cards on hand and could not test the range of the given antennas.

The lf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store lab401 says the range of the default antenna is about 66 - 72mm, medium-range antenna about 90mm, and the long-range has a reach of 110 - 133mm. But as shown above, for the hf-antenna this depends heavily on the lf-card itself.

  • Medium-Range LF-Antenna
  • Long-Range LF-Antenna
  • LF-Antenna Switch

The optional antennas come with 2 switches: (source: lab401)

Q-Switch
The Q-Switch has two settings: 14 (Extended Range) and 7 (Extended Accuracy).
Q-Switch setting of 14 will give up to 30% further read range (on lf search / lf hid read etc commands).
Q-Switch setting of 7 will give better writing performance on T55XX and EM410XX tags.
Frequency Switch
The frequency switch allows for tuning to specific tag types: 125KHz or 134KHz.

Used Hardware

Proxmark3 RDV4 Kit

Proxmark3 RDV4.0 BT & Battery Addon Blue Shark

Proxmark3 RDV4.0 HF Antennas

Proxmark3 RDV4.0 LF Antennas

References

Retrieved from "https://wiki.elvis.science/index.php?title=Proxmark3_RDV4&oldid=14643"