Proxmark3 RDV4

Summary

Proxmark3 RDV4

The Proxmark is an RFID swiss-army tool, allowing for both high and low-level interactions with the vast majority of RFID/NFC tags and systems worldwide (proxmark.com).

The Proxmark3 Dev Kit 4 (RDV4) is more compact and portable than the older versions and brings various improvements to the open-source design. Antennas are highly customizable and there is a new multifunction multiplexing interface to support additional components such as external battery, external active high powered antenna, Bluetooth interfaces and SIM/Smart card reader (hackerwarehouse.com).

This write-up concentrates on the improvements of the RDV4 over the RDV2 and will not cover the basic operations. For more, please visit Proxmark3: Useful commands or Proxmark3: FH-Campus Card NFC Security Valuation

Requirements

• Proxmark3 RDV4

To use the Bluetooth module & for new features of the RDV4 use the new new repository

Setting-up & compiling are explained in the original documentation

For a quick introduction to the default commands please visit: Proxmark3: Useful commands

Bluetooth Module

With the Blue-Shark Module it is now possible to wirelessly communicate with the Proxmark RDV4!

Installation

To enable this feature you need to install the newest RfidResearchGroup/proxmark3 repo and enable the Bluetooth setting in the makefile: the instructions are based on Blue Shark Installation

Linux installation

Preperation

• Update system:

sudo apt-get update

• Install requirements:

sudo apt-get install --no-install-recommends git ca-certificates build-essential pkg-config libreadline-dev gcc-arm-none-eabi libnewlib-dev qtbase5-dev

• On Linux you have to make shure you remove of disable the ModemManager (this is usally pre-installed to interact with (2G,3G,4G) devices.
• Remove ModemManager

sudo apt remove modemmanager

• Download repostiory:

git clone https://github.com/RfidResearchGroup/proxmark3.git

• cd into repo

cd proxmark3

• Or update to the newest version:

git pull

Compile source code

• Enable Bluetooth module

cp Makefile.platform.sample Makefile.platform

nano Makefile.platform

And uncomment the line #PLATFORM_EXTRAS=BTADDON by removing the # & save changes by pressing ctrl+x

• Compile source code

make clean; make -j8

sudo make install

• Add access rights

make accessrights

Now log off and log on again.

• Connect the Proxmark3 to the computer
• Flash the firmware

./pm3-flash-bootrom

./pm3-flash-all

Connect wirelessly to the Proxmark

• Turn on the Bluetooth module (both switches to on)
• Find MAC address

sudo hcitool scan
Scanning ...
 aa:bb:cc:dd:ee:ff PM3_RDV4.0

• Bind your BT add-on MAC address to a serial port

sudo rfcomm bind rfcomm0 aa:bb:cc:dd:ee:ff

• If connecting the first time:

bluetoothctl
[bluetooth]# pairable on
[bluetooth]# scan on
Discovery started
...
[CHG] Device aa:bb:cc:dd:ee:ff Name: PM3_RDV4.0
[bluetooth]# trust aa:bb:cc:dd:ee:ff
[bluetooth]# pair aa:bb:cc:dd:ee:ff
[agent] Enter PIN code: 1234
[bluetooth]# quit

• Else, open the Proxmark client

proxmark3 /dev/rfcomm0

Now the Proxmark LED should stop blinking and turn solid blue. THe Proxmark client should show the default interface.

Smart Card

Antennas

The Proxmark3 RDV4 optionally ships with high-frequency (hf) and low-frequency (lf) antenna kits. They include a medium and long-range antenna. The following will show the differences between them.

High-Frequecy Antenna Kit

The hf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store lab401 says the range of the default antenna is about 40-85mm, medium-range antenna about 90mm, and the long-range has a reach of 100-120mm. A small test of mine concludes that this statement is only partially true.

I tested the range of 4 different cards:

• Card 1: HF-Card shipped with the RDV4: NXP MIFARE CLASSIC 1k Gen1A S50
• Card 2: Student-Card: NXP MIFARE DESFire 4k
• Card 3: Portugal, Proto MetroCard: Ultralight EV1 48bytes (MF0UL1101)
• Card 4: SkiData Card: EM-Marin SA (Skidata); EM4233

(!)  denotes that the readings were inconsistent:
     The card only got recognized from time to time
(!!) denotes that the readings were very inconsistent:
     Only if lucky the card got recognized
/    denotes that the card got not read at all

The results show that the antenna reach depends heavily on the card trying to read. The most consistent results came from the default-antenna that ships with the RDV4. As shown, the optional antennas did cope with the NXP Mifare cards very poorly but show improvements for the SkiData card.

Low-Frequency Antenna Kit

Sadly I do not have any lf-cards on hand and could not test the range of the given antennas.

The lf-antenna kit comes with two antennas that are advertised as medium- and long-range antennas. The store lab401 says the range of the default antenna is about 66 - 72mm, medium-range antenna about 90mm, and the long-range has a reach of 110 - 133mm. But as shown above, for the hf-antenna this depends heavily on the lf-card itself.

The optional antennas come with 2 switches: (source: lab401)

Q-Switch

The Q-Switch has two settings: 14 (Extended Range) and 7 (Extended Accuracy).

Q-Switch setting of 14 will give up to 30% further read range (on lf search / lf hid read etc commands).

Q-Switch setting of 7 will give better writing performance on T55XX and EM410XX tags.

Frequency Switch

The frequency switch allows for tuning to specific tag types: 125KHz or 134KHz.

Used Hardware

Proxmark3 RDV4 Kit

Proxmark3 RDV4.0 BT & Battery Addon Blue Shark

Proxmark3 RDV4.0 HF Antennas

Proxmark3 RDV4.0 LF Antennas

Courses

References

• https://www.proxmark.com
• https://www.hackerwarehouse.com
• https://www.lab401.com
• https://github.com/RfidResearchGroup/proxmark3