Proxmark3 RDV4
Summary
The Proxmark is an RFID swiss-army tool, allowing for both high and low-level interactions with the vast majority of RFID/NFC tags and systems worldwide (proxmark.com).
The Proxmark3 Dev Kit 4 (RDV4) is more compact and portable than the older versions and brings various improvements to the open-source design. Antennas are highly customizable and there is a new multifunction multiplexing interface to support additional components such as external battery, external active high powered antenna, Bluetooth interfaces and SIM/Smart card reader (hackerwarehouse.com).
This write-up concentrates on the improvements of the RDV4 over the RDV2 and will not cover the basic operations. For more, please visit Proxmark3: Useful commands or Proxmark3: FH-Campus Card NFC Security Valuation
Requirements
- Proxmark3 RDV4
To use the Bluetooth module & for new features of the RDV4 use the new new repository
Setting-up & compiling are explained in the original documentation
For a quick introduction to the default commands please visit: Proxmark3: Useful commands
Bluetooth Module
With the Blue-Shark Module it is now possible to wirelessly communicate with the Proxmark RDV4!
To enable this feature you need to install the newest RfidResearchGroup/proxmark3 repo and enable the Bluetooth setting in the makefile: please follow the instructions at Blue Shark Installation
Smart Card
Antennas
The Proxmark3 RDV4 optionally ships with high-frequency (hf) and low-frequency (lf) antenna kits. They include a medium and long-range antenna. The following will show the differences between them.
High-Frequecy Antenna Kit
The hf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store lab401 says the range of the default antenna is about 40-85mm, medium-range antenna about 90mm, and the long-range has a reach of 100-120mm. A small test of mine concludes that this statement is only partially true.
I tested the range of 4 different cards:
- Card 1: HF-Card shiped with the RDV4: NXP MIFARE CLASSIC 1k Gen1A S50
- Card 2: Student-Card: NXP MIFARE DESFire 4k
- Card 3: Portugal, Proto MetroCard: Ultralight EV1 48bytes (MF0UL1101)
- Card 4: SkiData Card: EM-Marin SA (Skidata); EM4233
(!) denotes that the readings were inconsistent: The card only got recognized from time to time (!!) denotes that the readings were very inconsistent: Only if lucky the card got recognized / denotes that the card got not read at all
Card | Default-Antenna | Medium-Range Antenna | Long-Range Antenna |
---|---|---|---|
Shipped HF-Card | 8 cm | (!!) 0 cm | (!!) 2 cm |
Student-Card | 5 cm | (!) 0 cm | (!) 7 cm |
Metro-Card | 8 cm | / | (!) 11 cm |
SkiData-Card | 7 cm | 7 cm | 11 cm |
The results show that the antenna reach depends heavily on the card trying to read. The most consistent results came from the default-antenna that ships with the RDV4. As shown, the optional antennas did cope with the NXP Mifare cards very poorly but show improvements for the SkiData card.
Low-Frequency Antenna Kit
Sadly I do not have any lf-cards on hand and could not test the range of the given antennas.
The lf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store lab401 says the range of the default antenna is about 66 - 72mm, medium-range antenna about 90mm, and the long-range has a reach of 110 - 133mm. But as shown above for the hf-antenna this depends heavily on the lf-card itself.
The optional antennas come with 2 switches: (source: lab401)
- Q-Switch
- The Q-Switch has two settings: 14 (Extended Range) and 7 (Extended Accuracy).
- Q-Switch setting of 14 will give up to 30% further read range (on lf search / lf hid read etc commands).
- Q-Switch setting of 7 will give better writing performance on T55XX and EM410XX tags.
- Frequency Switch
- The frequency switch allows for tuning to specific tag types: 125KHz or 134KHz.
Used Hardware
Proxmark3 RDV4.0 BT & Battery Addon Blue Shark