RFID開發利器 proxmark3

Proxmark3 介紹

Proxmark3是由Jonathan Westhues設計並且開發的開源硬件，其主要用RFID的嗅探、讀取以及克隆等的操作。
其官方網站為：Jonathan Westhues個人網站 Proxmark3官網：PROXMARK.org Proxmark3銷售網站：Proxmark3銷售網站

 

The proxmark3 is a powerful general purpose RFID tool, the size of a deck of cards, designed to snoop, listen and emulate everything from Low Frequency (125kHz) to High Frequency (13.56MHz) tags.

 

 

From the original website :

This device can do almost anything involving almost any kind of low ( 125 kHz) or high ( 13.56 MHz) frequency RFID tag. It can act as a reader. It can eavesdrop on a transaction between another reader and a tag. It can analyse the signal received over the air more closely, for example to perform an attack in which we derive information from the tag’s instantaneous power consumption. It can pretend to be a tag itself. It is also capable of some less obviously useful operations that might come in handy for development work.

Introduction

This section dives in more details into the Proxmark3 hardware. It does not go nearly as deep as advanced electronics experts would like, but you are welcome to improve this description by providing your own material 

Proxmark3 capabilities

• CPU : ARM, 256kB of flash memory, 64kB of RAM
• FPGA : Xilinx Spartan-II
• Two independent RF circuits, HF and LF
• Power : through USB port
• Connectivity : mini-USB port
• User interface : one button, four LEDs.
• Fully open-source design, both HW and SW

Basically, and unless proven otherwise, the idea is that the FPGA is just powerful enough to do the low level modulation/demodulation (-A, -B, ASK, OOK, etc), whereas the CPU should handle the coding/decoding of the frames (Manchester, Miller, etc) as well as more advanced functions.

 

Proxmark3 

https://code.google.com/p/proxmark3/wiki/HomePage

https://github.com/Proxmark/proxmark3/wiki

 

 

 

http://www.wwwer.net/archives/proxmark3-introduced.html

Proxmark3固件介紹

Proxmark3是一個開源的安全設備，故此其內置的固件也是因開源而不斷的進行升級以及修改，

而我們團購回來的版本是較為穩定的r486，因為每次編譯固件生成bin的時候，

我們不僅僅是在編譯更新Proxmark3自身的固件也在編譯我們PC端使用的客戶端。

Proxmark3客戶端與固件的關系

因為Proxmark3的原理是PC端只是基於命令的回顯以及發送，不存在任何數據運算。

如果我們只是更新固件而不更新客戶端的情況下，固件所新增加的命令以及功能都不會在舊版本的客戶端當中出現！

就很容易出現類似無法識別命令之類的提示。並且要謹記因為客戶端的特殊情況，

所以CTRL+C的操作是不可以停止Proxmark3的運算進程的！

反而你這樣子的退出會導致出現不應該出現的情況會影響后續的操作！

Proxmark3驅動安裝

wiki當中有關於Proxmark3的驅動安裝說明，這里再次要提醒大家的就是Proxmark3驅動必須手動安裝，

並且要記住無論是WindowsXP還是Windows7驅動都是一樣的！

驅動只有32位和64位的區別，而64位驅動安裝的方法和32位一致。

如果驅動安裝不正常會影響Proxmark3的運行，開源的Libusb驅動的確是比較麻煩的

測試前需要謹記並且准備好的事情有：

• 選擇你的Proxmark3所對應的客戶端，直到現在團購的Proxmark3版本為r486，客戶端版本也是r486版本
• 選擇適合你自己的Proxmark3驅動，Windows7/XP驅動都是一致的，只有32/64位驅動的區別
• 記住運行客戶端的時候，請不要使用CTRL+C或者ESC等常用的取消命令去取消Proxmark3的運算進行。
  請使用你Proxmark3主板上的按鈕

 

http://blog.csdn.net/jay_hust/article/details/9112871

 

https://proxmark3.googlecode.com/files/ProxSpace-130613.7z

Step1:

runme.bat的內容修改，主要是根據你的Proxmark3工作目錄修改MYPATH這個變量：

@echo off
REM *******************************************
REM CHANGE THIS PATH TO MATCH YOUR INSTALLATION
REM *******************************************
set MYPATH=C:\ProxSpace\

echo #Win32_Path  Mount_Point >msys/etc/fstab 
echo %MYPATH%mingw  /mingw >>msys/etc/fstab
echo %MYPATH%devkitARM /devkitARM >>msys/etc/fstab
echo %MYPATH%Qt\4.6.2 /qt >>msys/etc/fstab
echo %MYPATH%pm3  /pm3 >>msys/etc/fstab
msys\msys.bat

注意：“MYPATH”的地址最后含有一個“\”，因為%MYPATH%后面沒有跟“\”。

Step2:

在runme.bat運行后的窗口中執行

make clean

make all

Step3:

把ProxSpace\pm3\client目錄下編譯出來的proxmark3.exe放到獨立的文件夾下，

並把一些運行proxmark3.exe必須的dll從其他目錄拷貝到proxmark3.exe的文件夾

（libgcc_s_dw2-1.dll、libpthread-2.dll、mingwm10.dll、QtCore4.dll、QtGui4.dll、readline5.dll）

Step4: 運行proxmark3.exe（直接雙擊運行會一閃而過）。

寫一個批處理文件，例如 run_proxmark3.bat：

proxmark3 COM1

彈出DOS界面后后即可運行相關指令了，如hw version等。

windows7(32位)下編譯proxmark3

使用subversion來更新代碼，到CollabNet網站下載subversion(需要注冊)：

http://www.open.collab.net/downloads/ctf/windows.html.

win7下載編譯時經常出現perl相關的錯誤：

6402 [main] perl 596 child_copy: linked dll data write copy failed, 0x252000..0x252370, done 0, windows pid 596, Win32 error 87.

原因是perl.exe版本太低，到perl網站下載安裝新的版本(http://www.perl.org/get.html)，

復制perl.exe和相關dll到minGW\bin即可。

不想用也可以刪除剛安裝的perl。重新編譯就可以了。

 

Proxmark3 Windows7 下的配置文檔

點擊下載

Proxmark3基於libusb驅動下的固件編譯

Windows7下編譯客戶端與固件（基於libusb驅動）

從2012年11月4日起，Proxmark3的Google Code已經將USB CDC分支合並到了官方版本當中，

因此從SVN的630開始，不再使用基於libusb的USB驅動模式，而改為了USB CDC驅動模式，

但是因為相關聯的代碼修改以及測試等等的原因，所以USB CDC模式並不完善以及穩定，

所以我們不建議各位用戶自行更新相關的版本！

以下為基於舊版本libusb驅動模式下的SVN下載源碼以及固件編譯安裝方法。

1、下載官方提供的Windows編譯環境Proxspace（官方下載地址）

2、解壓Proxspace到任意文件夾。在proxspace的目錄下，找到”run.bat“文件，用文本編輯器打開該文件，並且修改以下參數：

 set MYPATH=將此路徑改為proxspace現有路徑

 若批處理最后一行為: msys/msys.bat，請改為 msys\msys.bat

例如：proxspace解壓縮在D盤Proxmark3目錄下，修改

MYPATH=D:\Proxmark3\proxspace

保存，並關閉文件。

3、刪除Proxspace文件夾下pm3內的所有文件（因為是老版本的源碼，不需要了，后面會更新新源碼）

4、雙擊運行”run.bat“，進入終端后執行以下命令更新&編譯。

通過SVN命令更新源碼到最新版本並編譯：

 svn co http://proxmark3.googlecode.com/svn/trunk proxmark3-read-only
 cd proxmark3-read-only
 make all

 

一般編譯都會順利完成，這時候在Client目錄生成的客戶端，

在其他目錄找到以下固件文件備用：

bootrom.elf

bootrom.s19

fpgaimage.elf

fpgaimage.s19

fullimage.elf

osimage.elf

osimage.s19

Windows7&Linux下升級固件（基於libusb驅動）

此步驟只針對懂得如何使用SVN下載最新固件版本下進行操作！

所有Proxmark3出廠時已經擁有固件！

2013年開始，SVN基於630以上版本全部改為USB CDC驅動，

故此從SVN下載回來的固件版本高於或等於630的，都不可以使用該更新升級方法請切記！

在你不懂得PM3操作的情況下，特別是剛剛得到PM3的童鞋千萬不要嘗試升級你的PM3固件！

以下固件中bootrom不要輕易的更新，如果中途失敗，很可能會導致Proxmark3無法被電腦識別（俗稱變成磚頭)。

^{CMD下進入固件解壓文件夾內的win32目錄並且執行(提前將Firmware目錄內的文件拷入win32目錄下)}

^{手動更新bootrom （可選）}

flasher -b bootrom.elf

^{手動更新fullimage}

flasher fullimage.elf

^{手動更新osimage}

flasher osimage.elf

^{手動更新fpgaimage}

flasher -b fpgaimage.elf

^{更新成功以上幾個就可以了.}

^{不同版本固件和軟件使用會導致程序出錯,壓縮包內有配套相應版本的proxmark3.exe軟件,請使用相應版本軟件.}

^{R486以后固件配套是proxmark3.exe軟件，非prox.exe,直接CMD切換到win32目錄下proxmark3.exe}

^{Linux下更新固件過程與windows一樣，固件是通用的。}

^{只需要把新的固件文件復制到flasher目錄，按照以上命令更新即可！}

^{如果更新固件導致Proxmark3產生不可挽救的后果的話，請使用J-Link進行Jtag固件刷寫，這樣子就可以恢復了！}

JLINK刷寫Proxmark3固件

請注意，以下操作是基於Proxmark3因bootrom部分固件出現問題、或bootrom部分固件發生重大更新，

需要使用J-link等工具通過JTAG接口進行bootrom部分固件刷寫修復。

平常的固件更新只需按住Proxmark3按鈕，連上計算機，

使用計算機上的flasher工具更新fpgaimage和osimage部分固件即可。 

 

Compiling the Proxmark from source and flashing

Updated  Sep 28, 2013 by verdult 

• Before you start
• Flash sections
• Bootloader
• FPGA image
• OS image
• Revision history and flashing procedures
• Original firmware
• Flashing procedure
• JTAG Recovery Procedure 

Before you start

This document has been created assuming that you have read the relevant getting started guide

and configured your development environment accordingly.

For Windows users - Everything in this document is done from the Minimalist GNU terminal window.

Start by running "runme.bat".

Flash sections

Proxmark firmware is comprised of three logical sections:

bootrom, fpga and operating system.

The bootrom is a relatively small bit of code that performs some basic hardware initialization,

supports reflashing the device over USB and knows how to transfer execution to the operating system.

Due to the limited number of features exposed by the bootrom,

it is not frequently updated and so you should only rarely need to update it when there is a compatibility conflict.

 

The FPGA code processes analogue signals coming from the antennas and makes those signals available to the ARM.

Like the bootrom code, the FPGA code is not frequently updated.

Presently, the operating system is the most frequently updated portion of Proxmark code.

It is responsible for receiving and executing most of the commands advertised in the client user interface.

Upgrading the bootrom of your Proxmark can brick the device.

Please exercise caution when upgrading the bootloader.

If the bootloader is corrupted, the only way to restore your Proxmark to working order

will be through the use of a JTAG programmer.

An S19 (Motorola S-record) and ELF (Executable and Linkable Format) file is produced for each logical section.

• ELF files are used with the flasher program for upgrading the Proxmark over USB.
• S19 files are used with a JTAG programmer for upgrading the Proxmark. 

Bootloader

• File name: bootrom/obj/bootrom.s19
• File name: bootrom/obj/bootrom.elf

The bootloader (sometimes also called bootrom) is a small piece of code

that enables writing to the flash over USB in the first place.

It's updated very infrequently and, due to its importance, should be left alone most of the time.

As long as your bootloader is intact you can recover any firmware error of your proxmark3

with just an USB connection and the provided flash tools.

When you destroy your bootloader, you will need a JTAG connection and associated tools to recover the device.

FPGA image

• File name: armsrc/obj/fpgaimage.s19
• File name: armsrc/obj/fpgaimage.elf

The FPGA image is the configuration/code that runs on the FPGA that sits on the proxmark3.

Since the FPGA doesn't have flash memory of its own,

this configuration is stored in the flash memory of the ARM processor

and downloaded into the FPGA on each boot of the device.

The FPGA code (called bit stream) is updated fairly infrequently,

and special tools are needed to compile the bit stream from the verilog sources.

The proxmark3 firmware source releases and SVN checkouts always contain a compiled bit stream (in fpga/fpga.bit)

which is then simply wrapped into an image file for you to flash onto the proxmark3.

OS image

• File name: armsrc/obj/osimage.s19
• File name: armsrc/obj/osimage.elf

The OS image is the main firmware code that runs on your proxmark3.

It is developed and regularly updated in the SVN, but if you don't need the latest features

you are well off using the provided binary releases.

(Note also: since the SVN is considered eternal work-in-progess, a current SVN version might not work or even build.)

The OS image and FPGA image work in tandem, so you should always flash them from the same SVN revision.

Revision history and flashing procedures

As mentioned above, the Proxmark3 is largely a constant work in progress.

Its firmware started off as a big update from the older ProxmarkII project,

and was mainly aimed at demonstrating a few key concepts rather than provide a polished end-user interface.

Over time, and thanks to the many contributions of all the developers on the project,

the firmware has evolved in many ways: new commands and features, more refined firmware architecture, etc.

Original firmware

The original firmware which is the one shipped on some pre-built Proxmark3 devices is now generally considered as outdated.

If your Proxmark3 is loaded with the original firmware, you should consider upgrading to the most recent binary release.

Flashing procedure

Ensure that you have read the prior section before proceeding.

In order to upgrade to the latest version of firmware,

you will need to first upgrade the Proxmarks bootloader.

The steps below will upgrade the Proxmark bootloader

to the version you checked out previously using the procedure from the getting started guide.

1. Optional Update your working copy to the latest revision. (Refer to the getting started documentation).
2. If you have not already done so, open up a terminal and go to the "pm3/client" directory.
3. Press and hold the button on the Proxmark while connecting it to your computer. 
   Continue to hold the button until the yellow and red LEDs stay lit.
4. Upgrade the Proxmark bootrom by executing the following command:

sudo ./flasher -b ../bootrom/obj/bootrom.elf

At this point the bootrom has been updated and the Proxmark is now in a position to have its OS upgraded.

The following steps will upgrade the Proxmark Operating System and FPGA code to your checked revision.

1. Ensure that the Proxmark is not connected to the PC.
2. Hold down the Proxmarks button and connect it to the PC. 
   After the yellow and red LEDs are lit, execute the command below:

sudo ./flasher ../armsrc/obj/fpgaimage.elf

1. If the previous step is successful, disconnect the Proxmark.
2. While holding the button, connect the Proxmark to the PC and wait for the yellow and red LEDs to stay lit. 
   Execute the command below:

sudo ./flasher ../armsrc/obj/osimage.elf

1. Disconnect the Proxmark from the PC and then reconnect it.
2. Launch the client software by executing "./proxmark3.exe". 
   The client should successfully connect to the Proxmark. You should see something like this:

Connected units:
1. SN:ChangeMe[bus-0/\\.\libusb0-0001--0x9ac4-0x4b8f]
proxmark3>

JTAG Recovery Procedure

If for whatever reason the USB upgrade procedure (section above) failed and the Proxmark will no longer boot,

you will need to load the bootrom on to the Proxmark using the JTAG interface.

This procedure assumes that you have a Segger J-LINK for the recovery process and J-link commander installed.

Plug both the Proxmark and the Segger J-LINK in to the computer. Attach the J-LINK to the Proxmark JTAG port.

Run J-link commander. Then:

exec device = AT91SAM7S256
execEnableFlashDL
h
loadbin "C:\proxmark3\recovery\proxmark3_recovery.bin"0x100000

that is it!

for flashing either the bootrom or firmware, these are the files and addresses:

bootrom.bin =0x100000
fullimage.bin =0x102000

Now un-plug the proxmark USB and JTAG and re-plug the Proxmark USB to the computer.