Proxmark3 Rdv2 Vs Rdv4
Hi CryptoKey.Proxmark3 hardware is starting to get a little bit difficult to follow.Essentially: there is no FW difference between the versions - they will all run the same firmware, and are all in theory capable of reading the same tags.There is:- Proxmark 3 'Original' - The original design. Older (10y+) components, very strange antenna connection system. Essentially discontinued.- Proxmark 3 'Original' rebuilt: Same hardware, better antennas ( ). Essentially discontinued.- Proxmark 3 RDV: Elechouse's facelift of the proxmark. Updated & modernised hardware and components. Smaller footprint.
Proxmark3 Easy
More stable operation. New, modern antenna system (Mini SMA connectors, smaller, better performance). Discontinued.- Proxmark 3 RDV2: V2 of the above.
This is the version that most people purchase. Hardware is stable, build quality is very good. Price is cheaper than above systems.Note, there is also a Proxmark 3 RDV 'easy'.This is a version intended for the chinese domestic market only, so has a few features removed:1.
AT91SAM7S256 (smaller memory 256kb)2. Removed lithium battery management and socket.3. Removed some components such as Relay and the Amplifier4. Use different antenna connection.In a nutshell, you're probably looking for the Proxmark RDV 2.Lots of places to buy from. This forum lists a bunch.If you're in the EU (or even if you're not) - I sell via www.lab401.comLast edited by kwx (2017-03-06 11:21:38). OKYes, forget some readings, I have read the WIKI now,At first everything seems a bit frustrating, until everything is well located and each link.At first it did not find any relation with each link. (WIKI + code.google + Github), I also did not understand a relationship with the original design and the Chinese, because seeing the Chinese PM3 with SW also left me disjointed.:-)Thank you.PD, this video of yotube can be a good tutorial, to install in an XP.?:-)Last edited by CryptoKey (2017-03-10 21:06:06).
Proxmark Rdv4
Good after several attempts, and managed to install part of the proxmark.:-)According to these steps.-For windos Xp, and in my case.Download the folder (cdc + lua).rar CDC new serial interface, there are drivers and software.Also help me with the video Proxmark3 - Windows XP Driver InstallHttps://youtu.be/MfU3WcXNUbE?list=PLvftlns4iCmLwHOmefio9jfUhiHEvtMPSTo see the installation of the drivers.The port-com to take by installation is the com8, according to see in software (GO) I asked for COM5 and change manual to COM5. Now is the port-com OK.-Now I am, at the point that I can not read anything with proxmark, I guess I did NOT do the (update bootloader)I ask the experts. You must do the bootloader obligatorily?How can I tell if my version is (R655, R650 or r486)Would this be the case of not being able to read with proxmark?-I am using for the readings the SW - (go) and Proxmark tool, both without it.Excuse my ignorance and my bad English. Sorry:-)Last edited by CryptoKey (2017-03-12 14:37:10).
Sorry for the double post, but I just remembered to check the PM3 license. The root of the repository says it is GNU GPL V2 and I can see no mention of license elsewhere. Unfortunately the wording of that license (using the word 'software' explicitly) means it is hard to argue it applies to the hardware too. Does anyone know if this was deliberate?I'm new around here, but I humbly suggest that if a PM4 design ever happens then the hardware design should be explicitly licensed as open too. This would help prevent the current situation where people are selling modified designs with no incentive to even provide a schematic. Thankfully the modifications in the current devices on the market don't seem too extreme. I base this on the fact that the PM3 Easy is the cheapest, so is likely the most stripped down.
I'm imagining more extreme scenarios like:(a) Someone changed the demodulation circuitry (e.g. Peak detector) so that it was cheaper but had a degraded signal(b) Someone found a way to improve the demodulation circuitry but the signal shapes changed a bit as a result. (this is probably less likely given it would most likely increase manufacturing cost)I'd want to know about either of those mods in my device in case future firmware updates caused it to stop working!
As a member of the Physical Security team here at SpiderLabs, some of my job responsibilities include getting into a facility by any (non-destructive) means necessary. When a client has decided once and for all that they've trained their guards and fortified the gates, it's time to test those defenses to measure just how resilient they actually are to an attack. And that's where we come in.Some organizations are finally starting to understand the risk behind 'tail gating'; an unauthorized individual circumventing physical access controls by following an authorized user into a building before those controls have a chance to deny access. Often times they look to technology to minimize the level of human interaction required to challenge a potential tail-gater; not presenting an RFID badge to the reader by the door gives probable cause for a vigilant employee to challenge a potential tail gater.RFID badge entry systems are becoming so commonplace these days that they're downright innocuous.
This is partly because they're relatively inexpensive to implement and easy to deactivate if a badge is lost or an employee is seperated from an organization. You've probably seen them in your daily life, usually a little white badge slightly larger than a business card, sometimes with a photo on them. Each tag has a unique identifier that corresponds to an entry in an application; if the badge is granted access, the door unlocks. If there's no corresponding entry, or if the entry is explicitly denied access, the door does not unlock.While getting challenged when attempting to tail gate is rare, I have to be prepared for the possibility that if I'm caught attempting to tail gate there's a chance that I will be challenged (and that's what I hope for, for the organizations' sake).
If I've managed to physically procure a valid badge than this is not likely a problem. If I get challenged, I excuse myself, walk back outside, and badge myself in. If not, then things get a little trickier.This is where the comes in. The proxmark 3 is an 'open' device originally designed by Jonathan Westhues that acts as a sort of swiss-army knife for testing RFID. The fully assembled and programmed device allows a user to read, replay, and clone RFID tags. Because the device is 'open', anyone is free to get the schematics and firmware for the proxmark and build or modify them to their heart's content. This is precisely what, a hackerspace in Los Angeles, did.
They augmented the existing proxmark design with additional features, including an LCD display, a thumb joystick, an SD-Card slot, and other features.Now, I'm fairly pragmatic when it comes to the tools I need to do my job. I do not (yet) possess the requisite soldering capabilities to reliably reproduce the NSL Proxmark3 LCD version, so I used a skillset I've honed over decades of practice.
I used my wallet. Or, more accurately, another member of the SpiderLabs red team did. Our proxmark 3 was purchased from.Obtaining a prebuilt Proxmark 3 is easy enough.
The next step is to talk to it via a computer. After reading every single user guide, forum post, blog article, wiki, and smoke signal on the Internet about the proxmark I finally understood how the interaction process works.
The Proxmark3.com provides useful links to the User Guide, Client software and firmware, and even a Python API.There is a client software package for Windows and Linux, and some users are having success building the client under OSX but I didn't. I opted instead to run the client in VMWare via a Linux guest machine. I used the Backtrack Linux security testing virtual machine image and the kernel recognized the proxmark without any additional tinkering. The most important thing with this method is to ensure that the virtual machine is configured to assume control over USB devices when the VM window has focus. Otherwise, there's a small chance that you might have an error when you flash your proxmark and be the proud owner of a $400 paper weight.
I followed the relatively straightforward instructions included in the document bundle from proxmark3.com and was able to update the bootloader, FPGA code, and base operating system in just a few minutes.Out of the box, the proxmark 3 is able to read, replay, and clone RFID cards with a few arcane command line programs and a computer running the client software. Very cool, but it's not always convenient to be carting around a backpack loaded down with a computer and software, stopping every so often to open the computer, verify that tags are being read properly, and then put the proxmark into replay mode. Definitely not something you want to be doing when you're in the field trying to covertly enter a target facility.recognized this gap in usability and augmented the proxmark 3 firmware with 'standalone mode'. This mode allows a user to operate the proxmark 3 with just a battery pack and the required RFID antenna. By observing the sequence of lit or unlit LEDs it is pretty straight forward to determine which mode the proxmark 3 is in, and whether or not a tag has been successfully read.In the picture above, I've attached an Energizer USB battery pack to the proxmark 3. This battery pack provides plenty of charge time to operate the proxmark and has the ability to be discreetly allocated throughout several pockets, with the battery in one pocket, the proxmark 3 in another, and a long cable going through a long shirt sleeve to the antenna in my hand.
The antenna has a standard USB female connector so that you don't have to carry around the antenna the entire time you're working; adding or removing the antena is dead simple. I used the USB mini cable from an old hard disk enclosure I had laying around so that I can provide power to the proxmark and later connect to a laptop without having to power the proxmark down.So, here's the skinny on how to operate the proxmark 3 in stand alone mode so that you don't have to go spend the time I did trying to learn the device.
If you purchased your proxmark from proxmark3.com than you already have Samy's code flashed onto your device.Step 1 is to connect your proxmark to a power supply and ensure that the power is turned on. A quick flash of the LEDs on the proxmark lets you know that it is receiving power.Step 2 is to press and hold the button on the proxmark 3 for about 2 seconds. You'll know when to let go when you see the lights on the proxmark dance in a quick sequence. At this point, a single red LED should be lit. This lets you know that the proxmark is reading from internal storage slot 1.Step 3, writing an RFID tag to slot 1. When a single red LED is lit, press and hold the button on the proxmark for about 2 more seconds.
A second red led will light up, indicating the proxmark is in 'read' mode for slot 1. Now when an RFID tag comes into the antenna's field, the second red LED will turn off.
Note the configuration of the LEDs in the picture of the proxark above; two red LEDs are lit.Step 4, replaying from slot 1. After the second red LED has turned off, quickly press the proxmark button for about 1 second. If you timed this right, a the red LED will remain lit and a green LED should come on.
Proxmark3 Rdv4 Battery
The proxmark is now replaying the RFID tag recorded into slot one.From here you should be able to walk up to any badge reader that the copied RFID tag has access to open, place the RFID antenna to the reader, and the door should open. If it doesn't, something went wrong or the tag that was copied does not have access to that door.By default, the proxmark has two internal slots in which to record an RFID tag.
To write to the second slot, press the proxmark button again while the 'slot 1' LED is lit and an orange LED should replace the red LED, indicating slot 2 is ready. Begin again at Step 3, although the primary red LED will now be orange.So now you can store two different RFID badges in standalone mode. But what if the badges you copied were for lower level users, who doesn't have access to the area of the facility you need to access in order to fulfil your objective?
You can try to grab different badges off of someone else, but sometimes there just isn't enough time allocated to start over. It's time to brute force.Brute forcing the entire 44-bit keyspace of the RFID tag is not only impractical, it would likely take longer to perform than the penetration tester has left on the engagement. Even if you knew the proximity card 'site id', the portion of the tag that's the same for every user of an RFID implementation, the remaining keyspace is still large.But, not to worry, Brad Antoniewicz at McAffee Foundstone tackled this problem with a custom fork of the Proxmark firmware to create a tool called ProxBrute. I'll let Brad's speak for itself, but the bottom line is that you can download Brad's code from his. You can then compile the firmware image yourself or you can flash the binary image of ProxBrute directly to the proxmark using the proxmark client software flasher tool.
You'll need to flash the bootloader, FPGA code, and then the ProxBrute code in tandem and in that order.Note that newer versions of the proxmark firmware code are generally not compatible with previous versions. Brad recommends flashing the stock Winter 2010 version of the proxmark 3 firmware, and then flashing Prox Brute on top of that.So now what does this gain us? It's quite beautiful, really. The ProxBrute code reads from the recently-stored slot 1 tag, or the explicitly-written slot 2 tag, and then decrements through the keyspace until it finds a valid ID or reaches 0x00000000.
By keeping the site id of the RFID tag static and starting in an area of the key space from a card issued to that site id, it is possible to more intellignetly guess at valid unique card IDs. According to the McAffee Foundstone whitepaper, Brad was seeing successful entry in around 5 minutes. That's definitely better than brute force guessing in the dark and places this attack squarely within the realm of practical.So how do we perform an RFID brute force attack with ProxBrute? Picking up at Step 4, we've now read a tag ID into slot 1.
At this point the red and green LEDs should both be lit.Step 5 is to single press the button on the proxmark again, and the orange led alone will light. A quick single second press again and the proxmark goes into ProxBrute mode.
You'll know you've done it right when the red, orange, and green LEDs are lit in sequence.If you have the proxmark connected to your client machine and are running the proxmark client, you may see debug output similar to the screen capture below. (Note, there are only 256 possible site IDs, and the 26 key bitspace listed in the screen capture below is from a dummy card ordered with the proxmark - you can try and clone my card but it probably won't get you anywhere.)If you're lucky, you'll land within a valid RFID tag range, the door will click, and you're on your merry way. If you're unlucky you'll get a series of loud beeps, one per second, until everyone in the building comes outside to see what all the beeping is about. There's also the strong possibility that all of these failed attempts will alert the building's security team and the game is over.
Of course, it's also possible that it just plain won't work and you'll be forced to try something different. But if you're feeling brave and you've done your homework, you've got nothing to lose but 5 minutes standing at the door and possibly a few gallons in nervous sweat.So there you have it. The Proxmark 3, standalone mode, and ProxBrute are welcome additions to the arsenal of any physical security tester. While certainly not an 'autopwn' or 'magic super rad spy button' for physical penetration tests, this setup is valuable when used tactically and in the right scenarios.
I encourage you to read up on the links I've posted above thanks to the tireless efforts of a lot of individuals whose brilliant work makes my job more painless.