Hypn.za.net
Hacking, Coding and Gaming | @[email protected]
December 11, 2023
My Proxmark Cheatsheet

A "few months" (2 years) ago I bought a "Proxmark3 Easy" from BangGood but never really did anything with it since. The original listing page is gone, and I'm guessing it's a clone, but there's another listing which is $11 more expensive which looks just like mine. This is a tool for reading, writing, attacking and emulating RFID / smart cards... and this blog post is my experience and notes attempting to do just that.


Getting things working

I booted Kali 2023.4, ran proxmark3, and... it wouldn't connect to my Proxmark device :/

I was getting the following error, which basically (the internet says) means there's a version incompatibility

unknown command:: 0x61334d50

At the risk of bricking my not-exactly-cheap toy I hadn't even played with yet, I managed to flash "Iceman's" firmware to it.

I needed to install some dependencies:

sudo apt install libbz2-dev libclang-dev libssl-dev

And then copy the Makefile.platform.sample (to Makefile.platform) and set my platform to PM3GENERIC

PLATFORM=PM3GENERIC

Then make and flash!

make PLATFORM=PM3GENERIC
./pm3-flash-all

I got some error about my bootloader not supporting a command. Through a combination of running ./pm3-flash-bootrom and power cycling (unplugging usb) a few times, I eventually... seemed to have bricked it :D Luckily all I had to do was hold down the little (reset?) button on the side until the red LED went out, and while keeping it pressed run ./pm3-flash-bootrom, power cycle it, then ./pm3-flash-all... which eventually worked!

┌──(kali㉿kali)-[~/proxmark3-4.17511]
└─$ ./pm3
[=] Session log .proxmark3/logs/log_20231211185617.txt
[+] loaded from JSON file `.proxmark3/preferences.json`
[=] Using UART port /dev/ttyACM0
[=] Communicating with PM3 over USB-CDC


  8888888b.  888b     d888  .d8888b.
  888   Y88b 8888b   d8888 d88P  Y88b
  888    888 88888b.d88888      .d88P
  888   d88P 888Y88888P888     8888"
  8888888P"  888 Y888P 888      "Y8b.
  888        888  Y8P  888 888    888
  888        888   "   888 Y88b  d88P
  888        888       888  "Y8888P"    [ ☕ ]

Release v4.17511 - Faraday
  [ Proxmark3 RFID instrument ]

    MCU....... AT91SAM7S512 Rev B
    Memory.... 512 KB ( 61% used )

    Client.... Iceman/master/v4.17511 2023-11-13 10:19:09
    Bootrom... Iceman/master/v4.17511-suspect 2023-11-13 10:19:09
    OS........ Iceman/master/v4.17511-suspect 2023-11-13 10:19:09
    Target.... PM3 GENERIC

Identifying Cards

I have a bunch of programmable RFID cards and fobs, but didn't know what type or frequency they are... or how to use Proxmark...

It turns out you can just run auto and it'll automagically scan for "hf" (high frequency) and "lf" (low frequency) on the antennas - obviously you might have placed your card/fob on the wrong antenna, so if it's not try again on the other one:

[usb] pm3 --> auto
[=] lf search

[=] NOTE: some demods output possible binary
[=] if it finds something that looks like a tag
[=] False Positives ARE possible
[=]
[=] Checking for known tags...
[=]
[!] ⚠️  Specify one authentication mode
[+] EM 410x ID 0102030406
[+] EM410x ( RF/64 )
[=] -------- Possible de-scramble patterns ---------
{snip}
[+] Valid EM410x ID found!

[+] Chipset detection: T55xx

(the card I scanned is actually a "T55xx", which is programmable and acts like a "EM410x" card)


EM410x/T55xx cards

Running lf em or lf em 410x displays commands that can be used to interact with EM410x cards.

  • lf em 410x reader to read the card's id
  • lf em 410x clone --id 2222222222 to write a new id to the card
[usb] pm3 --> lf em 410x reader
[+] EM 410x ID 0102030405

[usb] pm3 --> lf em 410x clone --id 2222222222
[+] Preparing to clone EM4102 to T55x7 tag with EM Tag ID 2222222222 (RF/64)
[#] Clock rate: 64
[#] Tag T55x7 written with 0xff94a5294a5294a0

[usb] pm3 --> lf em 410x reader
[+] EM 410x ID 2222222222

As mentioned above, "T55xx" cards can be programmed to emulate EM510x cards. The Proxmark has commands for this, under lf t55xx, such as:

  • lf t55xx chk to try and find the password, if one is set (then use -p {password} with commands when needed)
  • lf t55xx detect to get information about the card - if the card can't be detected you likely need to specify the password
  • lf t55xx dump to save the card to file (use -f to specify the filename)
  • lf t55xx wipe -p {password} to wipe the card and remove the password
[usb] pm3 --> lf t55xx detect
[!] ⚠️  Could not detect modulation automatically. Try setting it manually 

[usb] pm3 --> lf t55xx chk
[+] loaded 123 keys from dictionary file client/dictionaries/t55xx_default_pwds.dic
[=] press <Enter> to exit
[=] testing 51243648
{snip}
[=]  Password set...... Yes
[=]  Password.......... A5B4C3D2
[+] found valid password: [ A5B4C3D2 ]

[usb] pm3 --> lf t55xx detect -p A5B4C3D2
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
{snip}
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... Yes
[=]  Password.......... A5B4C3D2

[usb] pm3 --> lf t55xx wipe
[=] Target T55x7 tag
[=] Default configuration block 000880E0
[=] Begin wiping...
[=] Writing page 0  block: 00  data: 0x000880E0
{snip}

[usb] pm3 --> lf t55xx detect -p A5B4C3D2
[=]  Chip type......... T55x7
[=]  Modulation........ ASK
{snip}
[=]  Downlink mode..... default/fixed bit length
[=]  Password set...... No

MIFARE Classic cards

Running hf mf displays commands that can be used to interact with MIFARE Classic cards

  • hf mf autopwn tries to find the card's keys (for other commands to work)
  • hf mf dump saves the card's data to file
  • hf mf restore --1k -f {filename}.bin write the data from file to card
  • hf mf csetuid to set the card's uid
[usb] pm3 --> hf mf dump
[=] Using... hf-mf-01020304-key.bin
[=] Reading sector access bits...
[=] .................
[+] Finished reading sector access bits
[=] Dumping all blocks from card...
 🕙 successfully read block  3 of sector 15
[+] Succeeded in dumping all blocks
[+] time: 9 seconds
[+] saved 1024 bytes to binary file hf-mf-01020304-dump-005.bin
[+] saved to json file hf-mf-01020304-dump-005.json

[usb] pm3 --> hf mf cview
[+] View magic Gen1a MIFARE Classic 1K
[=] .................................................................

[=] -----+-----+-------------------------------------------------+-----------------
[=]  sec | blk | data                                            | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=]    0 |   0 | BD 71 CC 03 03 08 04 00 62 63 64 65 66 67 68 69 | .q......bcdefghi
{snip}

[usb] pm3 --> hf mf csetuid -u 01020304
[+] old block 0... BD71CC03030804006263646566676869
[+] new block 0... 01020304040804006263646566676869
[+] Old UID... BD 71 CC 03
[+] New UID... 01 02 03 04  ( verified )

[usb] pm3 --> hf mf cview
[+] View magic Gen1a MIFARE Classic 1K
[=] -----+-----+-------------------------------------------------+-----------------
[=]  sec | blk | data                                            | ascii
[=] -----+-----+-------------------------------------------------+-----------------
[=]    0 |   0 | 01 02 03 04 04 08 04 00 62 63 64 65 66 67 68 69 | ........bcdefghi
{snip}

The end?

This is probably only just scratching the surface, but I was able to read and change high and low frequency cards and convert cards to fobs and back... sufficient for now :)