Proxmark3

Proxmark3
	First version of Proxmark3 originally designed by Jonathan Westhues
Date invented	2007
FPGA	Xilinx Spartan-II
Processor	Atmel AT91SAM7S64
Memory	64 kB flash

Last updated January 09, 2025

Proxmark3 is a multi-purpose hardware tool for radio-frequency identification (RFID) security analysis, research and development. It supports both high frequency (13.56 MHz) and low frequency (125/134 kHz) proximity cards and allows users to read, emulate, fuzz, and brute force the majority of RFID protocols.^[1]

Originally created by Jonathan Westhues and published as open-source hardware, it was later picked up by a community of developers who significantly improved both hardware and software in comparison with the original version. Proxmark3 gathered a large community of security researchers investigating RFID access control systems, who expand and maintain the project while using it in their own research.^[2] The original Proxmark3 hardware platform served as the basis for new device versions, including commercial ones.^[1]

Technical specification

Proxmark3 is based on field-programmable gate array (FPGA) technology, which allows the implementation of high-performance low-level analog signal processing, modulation and demodulation. A separate microcontroller processes demodulated frames. Such setup potentially allows any RFID protocol to be implemented in Proxmark3's software.

Antennas

2 independent antenna circuits are used for low frequencies (LF) 125 kHz and 134 kHz, and high frequency (HF) 13.56 MHz. Initially, both antennas were connected with a shared 4-pin Hirose USB connector, which was unreliable at times. Subsequent revisions have opted to use a separate connector for each antenna.

ADC

8-bit Analog-to-digital converter (ADC) receives an analog signal from the antenna circuit, digitizes it and outputs the digital signal to the FPGA.

FPGA

Field-programmable gate array does both the low-level modulation when transmitting data from CPU and demodulation when receiving a signal from an ADC. It can process various modulations such as on–off keying (OOK), amplitude-shift keying (ASK), etc. The FPGA works in two ways: as reader generating electromagnetic field for cards, or as card waiting for reader field.

CPU

The ARM microcontroller is responsible for the protocol part. It encodes and decodes the frames (Manchester, Miller, etc) and performs more advanced functions. The CPU can reply back to the FPGA after signal handling, thus implementing the transport layer. The CPU also manages the USB communication with the PC client application.^[3]

Flash memory

Flash memory is used to store firmware. The early versions of Proxmark3 only had 64 kB of flash memory,^[4] but as firmware developed that became scarce and versions with 512 kB appeared.^[5]

The firmware itself consists of ARM code and an FPGA image (which is loaded by the ARM). The FPGA communicates with the ARM through either its SPI port (the ARM is the master) or its generic SSP. The SPI is used for FPGA configuration. The SSP is used for data sent over the air.^[6]

Software

At the time Proxmark3 was developed, SDR was a hard to access technology. For that reason a split FPGA/MCU architecture was designed: an FPGA handles low-level functionality such as modulation/demodulation, while a microcontroller cares for the high-level functionality (command-line interface, protocol encoding/decoding, etc). While the FPGA/MCU architecture is technically outdated, it remained unchanged throughout hardware revisions. This allowed different versions to use the same firmware and resulted in a large code-base. However, with time the Proxmark3 codebase became increasingly fractured and hardware instabilities started to appear. As a result, some implementations refine and optimize the code (for example Proxmark3 RDV4), while others use the original Proxmark3 codebase (for example Proxmark3 EVO).^[5]

Proxmark3 software is divided into three parts:

PC client (application layer) – PC application which calls the Proxmark3 functions. It is used to display data, analyze the signal and manage Proxmark3. Subsequently, in newer Proxmark3 versions a mobile app can be used to control the Bluetooth-connected device.
CPU firmware (transport layer) – ARM firmware that manages protocol messages, formats and queues. It also provides CLI tools.
FPGAfirmware (physical layer) – Xilinx Spartan II firmware is responsible for the DSP: modulating/demodulating of signals.

Older firmware used USB HID protocol to connect the client to the Proxmark3. It was not possible to stream the received samples in real-time to the PC. CPU received a command from the client, executed it and stored the result in the memory buffer. The client had to send a new command to retrieve the CPU buffered data.^[7] New firmware versions use CDC serial interface to communicate with the client.^[2]

Signal samples may be handled by the PC client, it can plot received data to assist in analyzing unknown signals.

Community

Since Proxmark3's release in 2007 several RFID enthusiasts have been extending its functionality. Proxmark3 community has seen rapid growth after the release of firmware supporting the ISO/IEC 14443-A standard and appearing successful attacks on Mifare Classic. The Proxmark3 forum (registration required) became one of the main hubs for RFID system vulnerability discussion frequented by security researchers focusing on electronic access control (EAC) systems. The Proxmark community also houses developers of other RFID research tools: for example LibNFC.^[8] The community Discord server was later created to host both text and voice discussions on the topic of EAC system security. It had about 3000 members at the end of 2021.

Researches used Proxmark3

Mifare Classic cards attacks:

Darkside attack (Nijmegen/Oakland Group, 2009)– recovering at least one key from any sector of the card. Works for every card, takes a long time. Using mfoc (Mifare Offline Cracker) tool from libnfc stack.
Nested attack (Nicolas T. Curtois, 2009) – If one sector is encrypted with a known key, other sectors are crackable in a short amount of time. There is also the updated version of this attack – Hardnested. Using mfcuk (Mifare Classic universal toolkit) tool from libnfc stack.^[9]

Mifare Classic paper:

A practical attack on the MIFARE Classic^[10]

Mifare DESFire paper:

An investigation of possible attacks on the MIFARE DESFire EV1 smartcard used in public transportation^[11]

HID iClass papers:

Heart of darkness – exploring the uncharted backwaters of HID iCLASS security^[12]

Hitag paper:

Gone in 360 Seconds: Hijacking with Hitag2^[13]

Megamos paper:

Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer^[14]

NFC papers:

Practical attacks on NFC enabled cell phones^[15]

Related Research Articles

A microcontroller or microcontroller unit (MCU) is a small computer on a single integrated circuit. A microcontroller contains one or more CPUs along with memory and programmable input/output peripherals. Program memory in the form of NOR flash, OTP ROM, or ferroelectric RAM is also often included on the chip, as well as a small amount of RAM. Microcontrollers are designed for embedded applications, in contrast to the microprocessors used in personal computers or other general-purpose applications consisting of various discrete chips.

In computing, firmware is software that provides low-level control of computing device hardware. For a relatively simple device, firmware may perform all control, monitoring and data manipulation functionality. For a more complex device, firmware may provide relatively low-level control as well as hardware abstraction services to higher-level software such as an operating system.

AVR is a family of microcontrollers developed since 1996 by Atmel, acquired by Microchip Technology in 2016. These are modified Harvard architecture 8-bit RISC single-chip microcontrollers. AVR was one of the first microcontroller families to use on-chip flash memory for program storage, as opposed to one-time programmable ROM, EPROM, or EEPROM used by other microcontrollers at the time.

A system on a chip or system-on-chip is an integrated circuit that integrates most or all components of a computer or electronic system. These components usually include an on-chip central processing unit (CPU), memory interfaces, input/output devices and interfaces, and secondary storage interfaces, often alongside other components such as radio modems and a graphics processing unit (GPU) – all on a single substrate or microchip. SoCs may contain digital and also analog, mixed-signal and often radio frequency signal processing functions.

ISO/IEC 14443Identification cards – Contactless integrated circuit cards – Proximity cards is an international standard that defines proximity cards used for identification, and the transmission protocols for communicating with it.

<span class="mw-page-title-main">Softmodem</span> Modem that uses software to minimize the need for hardware

A software modem, commonly referred to as a softmodem, is a modem with minimal hardware that uses software running on the host computer, and the computer's resources, in place of the hardware in a conventional modem.

Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 cm or less. NFC offers a low-speed connection through a simple setup that can be used for the bootstrapping of capable wireless connections. Like other proximity card technologies, NFC is based on inductive coupling between two electromagnetic coils present on a NFC-enabled device such as a smartphone. NFC communicating in one or both directions uses a frequency of 13.56 MHz in the globally available unlicensed radio frequency ISM band, compliant with the ISO/IEC 18000-3 air interface standard at data rates ranging from 106 to 848 kbit/s.

<span class="mw-page-title-main">TV tuner card</span> Kind of television tuner that allows television signals to be received by a computer

A TV tuner card is a kind of television tuner that allows television signals to be received by a computer. Most TV tuners also function as video capture cards, allowing them to record television programs onto a hard disk much like the digital video recorder (DVR) does.

JTAG is an industry standard for verifying designs of and testing printed circuit boards after manufacture.

MIFARE is a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards.

Java Card OpenPlatform (JCOP) is a smart card operating system for the Java Card platform developed by IBM Zürich Research Laboratory. On 31 January 2006 the development and support responsibilities transferred to the IBM Smart Card Technology team in Böblingen, Germany. Since July 2007 support and development activities for the JCOP operating system on NXP / Philips silicon are serviced by NXP Semiconductors.

Minimig is an open source re-implementation of an Amiga 500 using a field-programmable gate array (FPGA).

An electronic device or embedded system is said to be field-programmable or in-place programmable if its firmware can be modified "in the field", without disassembling the device or returning it to its manufacturer.

RuBee is a two-way active wireless protocol designed for harsh environments and high-security asset visibility applications. RuBee utilizes longwave signals to send and receive short data packets in a local regional network. The protocol is similar to the IEEE 802 protocols in that RuBee is networked by using on-demand, peer-to-peer and active radiating transceivers. RuBee is different in that it uses a low frequency carrier.

<span class="mw-page-title-main">Crypto-1</span> Stream cipher

Crypto1 is a proprietary encryption algorithm and authentication protocol created by NXP Semiconductors for its MIFARE Classic RFID contactless smart cards launched in 1994. Such cards have been used in many notable systems, including Oyster card, CharlieCard and OV-chipkaart.

MIFARE4Mobile is a technical specification published by NXP Semiconductors in December 2008 to manage MIFARE-based applications in mobile devices. The specification provides mobile network operators and service providers with a single, interoperable programming interface, easing the use of the contactless MIFARE technology in future mobile Near Field Communication (NFC) devices.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device by Yubico

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Karsten Nohl is a German cryptography expert and hacker. His areas of research include Global System for Mobile Communications (GSM) security, radio-frequency identification (RFID) security, and privacy protection.

The Flipper Zero is a portable multi-functional device developed for interaction with access control systems. The device is able to read, copy, and emulate RFID and NFC tags, radio remotes, iButton, and digital access keys, along with a GPIO interface. It was first announced in August 2020 through the Kickstarter crowdfunding campaign, which raised $4.8 million. The first devices were delivered to backers 18 months after completion of the crowdfunding campaign. The device's user interface embodies a pixel-art dolphin virtual pet. The interaction with the virtual pet is the device's core game mechanic. The usage of the device's functions defines the appearance and emotions of the pet.

References

1 2 Chantzis, Fotios (2021). Practical IoT hacking : the definitive guide to attacking the internet of things. Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Woods. San Francisco. ISBN 978-1-7185-0091-4. OCLC 1178868866.{{cite book}}: CS1 maint: location missing publisher (link)
1 2 Yang, Qing (2018). Inside radio : an attack and defense guide. Lin Huang. Singapore. ISBN 978-981-10-8447-8. OCLC 1029352620.{{cite book}}: CS1 maint: location missing publisher (link)
↑ Crepaldi, Paulo; Pimenta, Tales (2017-11-29). Radio Frequency Identification. BoD – Books on Demand. ISBN 978-953-51-3629-3.
↑ "A Test Instrument for HF/LF RFID". cq.cx. Retrieved 2021-09-15.
1 2 "Proxmark 3 | Proxmark". proxmark.com. Retrieved 2021-09-15.
↑ "Hardware Description · Proxmark/proxmark3 Wiki". GitHub. Retrieved 2021-09-15.
↑ R., Garcia, F. D. Koning Gans, G.T de Verdult (2012). Tutorial: Proxmark, the Swiss Army Knife for RFID Security Research : Tutorial at 8th Workshop on RFID Security and Privacy (RFIDSec 2012). Nijmegen : Radboud University Nijmegen, ICIS. OCLC 1247335104.{{cite book}}: CS1 maint: multiple names: authors list (link)
↑ Koning Gans, Gerhard de (2013). Outsmarting smart cards. [S.l.: s.n.] ISBN 978-94-6191-675-4. OCLC 830879913.
↑ Courtois, Nicolas (2009). "Card-Only Attacks on MiFare Classic or How to Steal Your Oyster Card and Break into Buildings Worldwide" (PDF). UCL Discovery. Retrieved September 16, 2021.
↑ de Koning Gans, Gerhard; Hoepman, Jaap-Henk; Garcia, Flavio D. (2008), "A Practical Attack on the MIFARE Classic", Smart Card Research and Advanced Applications, Lecture Notes in Computer Science, vol. 5189, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 267–282, arXiv: 0803.2285 , doi: 10.1007/978-3-540-85893-5_20 , ISBN 978-3-540-85892-8, S2CID 1280839
↑ Flynn, Rory. "An investigation of possible attacks on the MIFARE DESFire EV1 smartcard used in public transportation" (PDF). Retrieved September 16, 2021.
↑ "Heart of Darkness - exploring the uncharted backwaters of HID iCLASS security" (PDF). Retrieved September 16, 2021.
↑ Verdult, Roel; Garcia, Flavio; Balasch, Josep (2012). Gone in 360 Seconds: Hijacking with Hitag2. [S.l.] : USENIX Association. OCLC 1247338434.
↑ Verdult, Roel; Garcia, Flavio; Ege, Baris. "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer" (PDF). Archived (PDF) from the original on 2015-09-10. Retrieved February 4, 2023.
↑ Verdult, Roel; Kooman, Francois (February 2011). "Practical Attacks on NFC Enabled Cell Phones". 2011 Third International Workshop on Near Field Communication. pp. 77–82. doi:10.1109/NFC.2011.16. hdl: 2066/92208 . ISBN 978-1-61284-176-2. S2CID 16296134.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 Chantzis, Fotios (2021). Practical IoT hacking : the definitive guide to attacking the internet of things. Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Woods. San Francisco. ISBN 978-1-7185-0091-4. OCLC 1178868866.{{cite book}}: CS1 maint: location missing publisher (link)

[:4-2] 1 2 Yang, Qing (2018). Inside radio : an attack and defense guide. Lin Huang. Singapore. ISBN 978-981-10-8447-8. OCLC 1029352620.{{cite book}}: CS1 maint: location missing publisher (link)

[3] Crepaldi, Paulo; Pimenta, Tales (2017-11-29). Radio Frequency Identification. BoD – Books on Demand. ISBN 978-953-51-3629-3.

[4] "A Test Instrument for HF/LF RFID". cq.cx. Retrieved 2021-09-15.

[:2-5] 1 2 "Proxmark 3 | Proxmark". proxmark.com. Retrieved 2021-09-15.

[:1-6] "Hardware Description · Proxmark/proxmark3 Wiki". GitHub. Retrieved 2021-09-15.

[:3-7] R., Garcia, F. D. Koning Gans, G.T de Verdult (2012). Tutorial: Proxmark, the Swiss Army Knife for RFID Security Research : Tutorial at 8th Workshop on RFID Security and Privacy (RFIDSec 2012). Nijmegen : Radboud University Nijmegen, ICIS. OCLC 1247335104.{{cite book}}: CS1 maint: multiple names: authors list (link)

[8] Koning Gans, Gerhard de (2013). Outsmarting smart cards. [S.l.: s.n.] ISBN 978-94-6191-675-4. OCLC 830879913.

[9] Courtois, Nicolas (2009). "Card-Only Attacks on MiFare Classic or How to Steal Your Oyster Card and Break into Buildings Worldwide" (PDF). UCL Discovery. Retrieved September 16, 2021.

[10] Koning Gans, Gerhard; Hoepman, Jaap-Henk; Garcia, Flavio D. (2008), "A Practical Attack on the MIFARE Classic", Smart Card Research and Advanced Applications, Lecture Notes in Computer Science, vol. 5189, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 267–282, arXiv: 0803.2285 , doi: 10.1007/978-3-540-85893-5_20 , ISBN 978-3-540-85892-8, S2CID 1280839

[11] Flynn, Rory. "An investigation of possible attacks on the MIFARE DESFire EV1 smartcard used in public transportation" (PDF). Retrieved September 16, 2021.

[12] "Heart of Darkness - exploring the uncharted backwaters of HID iCLASS security" (PDF). Retrieved September 16, 2021.

[13] Verdult, Roel; Garcia, Flavio; Balasch, Josep (2012). Gone in 360 Seconds: Hijacking with Hitag2. [S.l.] : USENIX Association. OCLC 1247338434.

[14] Verdult, Roel; Garcia, Flavio; Ege, Baris. "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer" (PDF). Archived (PDF) from the original on 2015-09-10. Retrieved February 4, 2023.

[15] Verdult, Roel; Kooman, Francois (February 2011). "Practical Attacks on NFC Enabled Cell Phones". 2011 Third International Workshop on Near Field Communication. pp. 77–82. doi:10.1109/NFC.2011.16. hdl: 2066/92208 . ISBN 978-1-61284-176-2. S2CID 16296134.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]