Proxmark
ProxMark¶
Source
Source2
Source3
Control Proxmark3 with Android Phone
RRG Android App for use with Proxmark3 RDV4 and the blueshark addon
Breaking Samsung firmware, or turning your S8/S9/S10 into a DIY “Proxmark”
https://unethical.info/2024/01/24/hacking-my-air-purifier/
Flashing the Proxymark¶
Make sure the device is registered
lsusb
Build Software
git clone https://github.com/Proxmark/proxmark3.git
cd proxmark3
make clean && make all
Upgrading the Bootloader¶
- Unplug the device
- Hold the button and plug in the device
- Run the flasher command
cd client make ./flasher /dev/ttyACM0 -b ../bootrom/obj/bootrom.elf
Upgrading the Firmware¶
Run command when plugged in. Should Restart and
cd client
./flasher /dev/ttyACM0 ../armsrc/obj/fullimage.elf
cd ..
General Reading RFID Cards¶
Detect if high frequency or low frequency
lf search
hf search
Most low frequency tags don't have any kind of complex authentication scheme or any protection against replay attacks. It's a simple matter to scan an existing working card and create a clone.
Sniffing a Card¶
lf sniff
#Plot data on graph
data plot
# search and decode plot
lf search -1
Diffing a Card¶
data diff -a ../dumps/dump1.bin -b ../dumps/dump2.bin
Analyze data¶
View :
analyse lcr -d 007F864D7FA83A3D00CA8003000000
HID iClass (13.56 MHz)¶
Read Single Card
proxmark3> hf iclass reader
Try iClass Master key:
proxmark3> hf iclass permute --reverse --key 3F90EBF0910F7B6F
Read a iCLASS Block:
hf iclass rdbl -b 7 --ki 0
Write a iCLASS Block:
hf iclass wrbl -b 7 -d 6ce099fe7e614fd0 --ki 0
Encrypt iClass Block:
hf iclass encrypt -d 0000000f2aa3dba8
Simulate iCLASS:
pm3 --> hf iclass dump --ki 0
pm3 --> hf iclass eload -f hf-iclass-db883702f8ff12e0.bin
pm3 --> hf iclass sim -t 3
HID ProxCard (125 kHz)¶
Reading Card¶
Read Single Card
proxmark3> lf search
#db# DownloadFPGA(len: 42096)
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
HID Prox TAG ID: 2004263f88 (8132) - Format Len: 26bit - FC: 19 - Card: 8132
Valid HID Prox ID Found!
Read Multable Cards
proxmark3> lf hid fskdemod
#db# TAG ID: 2004263f88 (8132) - Format Len: 26bit - FC: 19 - Card: 8132
#db# Stopped
Cloning Card¶
This Tag ID is directly encoded from the Facility Code (19) and Card ID (8132). You can use some of the online 26 bit Wiegand calculators online to double check this for yourself.
This effectively means that you only need to know those numbers (which are printed on the card itself) to clone the card.
Use T5577 card with the command to clone the card and TAG ID
proxmark3> lf hid clone 2004263f88
Cloning tag with ID 2004263f88
#db# DONE!
EM4100x (125 kHz)¶
Reading Card¶
Read Single Card
proxmark3> lf search
#db# DownloadFPGA(len: 42096)
Reading 30000 bytes from device memory
Data fetched
Samples @ 8 bits/smpl, decimation 1:1
NOTE: some demods output possible binary
if it finds something that looks like a tag
False Positives ARE possible
Checking for known tags:
EM410x pattern found:
EM TAG ID : 8800180E55
Unique TAG ID : 11001870AA
Possible de-scramble patterns
HoneyWell IdentKey {
DEZ 8 : 01576533
DEZ 10 : 0001576533
DEZ 5.5 : 00024.03669
DEZ 3.5A : 136.03669
DEZ 3.5B : 000.03669
DEZ 3.5C : 024.03669
DEZ 14/IK2 : 00584117128789
DEZ 15/IK3 : 000073016045738
DEZ 20/ZK : 01010000010807001010
}
Other : 03669_024_01576533
Pattern Paxton : 2284604501 [0x882C4C55]
Pattern 1 : 4457436 [0x4403DC]
Pattern Sebury : 3669 24 1576533 [0xE55 0x18 0x180E55]
Valid EM410x ID Found!
Get Tag ID
proxmark3> lf em4x em410xdemod 1
#db# DownloadFPGA(len: 42096)
#db# EM TAG ID: 8800180e55 - (03669_024_01576533)
Cloning Card¶
Use T5577 card with the command to clone the card and TAG ID
proxmark3> lf em4x em410xwrite 8800180e55 1
Writing T55x7 tag with UID 0x8800180e55 (clock rate: 64)
#db# Started writing T55x7 tag ...
#db# Clock rate: 64
#db# Tag T55x7 written with 0xffc62000e20ea94e
MIFARE Classic (13.56 MHz)¶
The MIFARE Classic 1K offers 1024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. Each key can be programmed to allow operations such as reading, writing, increasing value blocks, etc.
One key is a default key that makes it possoble to read some data and not others
https://pollevanhoof.be/nuggets/smart_cards/nespresso
Reading Card¶
Basic Info for card
proxmark3> hf search
#db# DownloadFPGA(len: 42096)
UID : bc 4e a5 35
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Answers to chinese magic backdoor commands: NO
Valid ISO14443A Tag Found - Quitting Search
Some blocks are protected
Successful Block Read:
proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF
--block no:0, key type:A, key:ff ff ff ff ff ff
#db# READ BLOCK FINISHED
isOk:01 data:01 02 03 04 04 08 04 00 00 00 00 00 00 00 00 00
Failed Block Read:
proxmark3> hf mf rdbl 5 A FFFFFFFFFFFF
--block no:5, key type:A, key:ff ff ff ff ff ff
#db# Authentication failed. Card timeout.
#db# Auth error
#db# READ BLOCK FINISHED
isOk:00
Test Default Keys
proxmark3> hf mf chk * ?
No key specified, trying default keys
chk default key[ 0] ffffffffffff
chk default key[ 1] 000000000000
chk default key[ 2] a0a1a2a3a4a5
chk default key[ 3] b0b1b2b3b4b5
chk default key[ 4] aabbccddeeff
chk default key[ 5] 4d3a99c351dd
chk default key[ 6] 1a982c7e459a
chk default key[ 7] d3f7d3f7d3f7
chk default key[ 8] 714c5c886e97
chk default key[ 9] 587ee5f9350f
chk default key[10] a0478cc39091
chk default key[11] 533cb6c723f6
chk default key[12] 8fd0a4f256e9
--sector: 0, block: 3, key type:A, key count:13
Found valid key:[ffffffffffff]
...omitted for brevity...
--sector:15, block: 63, key type:B, key count:13
Found valid key:[ffffffffffff]
"Nested Attack" to extract other keys
proxmark3> hf mf nested 1 0 A ffffffffffff d
Testing known keys. Sector count=16
nested...
-----------------------------------------------
uid:bc4ea535 trgbl=4 trgkey=0
Found valid key:080808080808
-----------------------------------------------
uid:bc4ea535 trgbl=8 trgkey=0
Found valid key:080808080808
Time in nested: 7.832 (3.916 sec per key)
-----------------------------------------------
Iterations count: 2
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| 080808080808 | 1 | ffffffffffff | 1 |
|002| 080808080808 | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
Printing keys to binary file dumpkeys.bin...
Reading a block with a key
proxmark3> hf mf rdbl 5 A 080808080808
--block no:5, key type:A, key:08 08 08 08 08 08
#db# READ BLOCK FINISHED
isOk:01 data:00 0a 00 00 ff f5 ff ff 00 0a 00 00 05 fa 05 fa
Clone Card¶
Auto extract and backup Keys:
hf mf autopwn
Bruteforce MIFARE Classic card numbers from 11223344 to 11223346:
script run hf_mf_uidbruteforce -s 0x11223344 -e 0x11223346 -t 1000 -x mfc
Bruteforce MIFARE Ultralight EV1 card numbers from 11223344556677 to 11223344556679:
script run hf_mf_uidbruteforce -s 0x11223344556677 -e 0x11223344556679 -t 1000 -x mfu
Using the keydump to dump a card
proxmark3> hf mf dump 1
|-----------------------------------------|
|------ Reading sector access bits...-----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
...omitted for brevity...
#db# READ BLOCK FINISHED
|-----------------------------------------|
|----- Dumping all blocks to file... -----|
|-----------------------------------------|
#db# READ BLOCK FINISHED
Successfully read block 0 of sector 0.
...omitted for brevity...
Successfully read block 3 of sector 15.
Dumped 64 blocks (1024 bytes) to file dumpdata.bin
Restoring a card
hf mf restore 1
Restore a dead Card:
hf mf csetuid 12345678 0004 08
Note
Find ATQA and SAK from https://nfc-tools.github.io/resources/standards/iso14443A/
Reading a Block
proxmark3> hf mf rdbl 5 A 080808080808
--block no:5, key type:A, key:08 08 08 08 08 08
#db# READ BLOCK FINISHED
isOk:01 data:32 11 00 00 cd ee ff ff 32 11 00 00 05 fa 05 fa
Writing a Block
proxmark3> hf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa
--block no:5, key type:A, key:08 08 08 08 08 08
--data: 32 11 00 00 cd ee ff ff 32 11 00 00 05 fa 05 fa
#db# WRITE BLOCK FINISHED
isOk:01
Simulate a Card¶
:
hf mf sim -u 353c2aa6
wiegand¶
Indala¶
Hitag¶
T55XX¶
- Generic Card Reader
- EM is a T55XX using ASK
- HID Prox is a T55XX using FSK
- Indala is a T55XX using PSK
Detect Type of Card:
lf t55xx detect