User:Ivy Stolz/sandbox/proxmark3

Proxmark3
	First version of Proxmark3 originally designed by Jonathan Westhues
Date invented	2007
FPGA	Xilinix Spartan®-II
Processor	Atmel AT91SAM7S256
Memory	256Kb flash

Proxmark3 is a a RFID analysis open source hardware platform designed to operate with low and high frequency systems at 125 kHz, 134 kHz and 13.56 MHz. It was originally created as a PHD project by Jonathan Westhues as an instrument for the research of RFID systems.

Applications

Proxmark3 platform is used for analysis and interaction with various systems operating at 125 kHz, 134 kHz and 13.56 MHz e.g. cloning, copying and emulating differnt types of cards and tags^[1]. It simplified the work of the researchers in security analysis of near-field communication^[2], reverse engineering^[3] and cryptography.^[4]

Not only it has found its use in academic research, product development and penetration testing, but also created a strong community, which was able to continue to develop and maintain the project over the years due to the unchanging architecture used across several hardware revisions.^[5]

Principles of operation

A simplified functional diagram of Proxmark3 is given in figure below. The antenna connector has four connection pins. Two of them are used to connect a high frequency (HF) antenna. Emission paths and high-frequency receiver are connected in parallel to these two pins. The two others pins are used in the same way with a low-frequency (LF) antenna and paths low-frequency transmission and reception.

${\begin{aligned}\\\\Antenna\quad connector\Longleftarrow \\\Downarrow \Downarrow \qquad \qquad \qquad \qquad \\\quad \quad \quad Analog\ demodulation\ circuit\Longrightarrow Multiplexer\end{aligned}}{\begin{aligned}Circut\quad amplifier\Longleftarrow \end{aligned}}{\begin{aligned}Microcontroller\\ARM\\\Downarrow \Uparrow \\FPGA\\\Uparrow \\Analog\ to\ digital\\converter\end{aligned}}$

In operation, only two pins are connected to an antenna. On each of the reception paths, a possible radio-frequency signal arrives from the connector and then passes through a demodulating circuit. The choice between high-frequency and low-frequency is made by a multiplexer which selects the output of one of the two demodulation circuits. The signal is then digitized on 8 bits by the analog-to-digital converter, the output of which is connected to the FPGA. For transmission, the FPGA sends a signal to one of the two amplifier circuits which then relays it to the antenna connector.

The FPGA helps to lighten the treatment microcontroller which could be overwhelmed by signal processing, especially at 13.56 MHz. The FPGA code consists of a main file and several auxiliary files each containing a module. The main file implements the reception of commands sent by the ARM microcontroller. In the command sent by the microcontroller.

Proxmark3 community

The original hardware design was created before the microcontrollers became capable of providing the the high-bandwidth signal processing required by the RFID protocols. Therefore Proxmark3 had a split-architecture of a microcontroller with the high-level functionality while an FPGA used for the heavy lifting^[6]. Therefore most of the the signal processing is performed in software. This fact allows the strong community of enthusiasts^[7] to reconfigure the device for different modulation schemes and contribute to further enhancing the Proxmark3 project. The official repository of the volonteers is based on GitHub.^[8]

The latest hardware revision of the Proxmark 3 Platform presented on BlackAlps cyber security conference in 2018^[9] was designed by the moderators of the proxmark forums Chris Hermann (iceman), Kevin Barker (0xFFFF) and others.

Comparison of existing versions


	Proxmark 3	Proxmark 3 RDV 2	Proxmark 3 Easy	Proxmark 3 EVO	Proxmark 3 RDV4
CPU	AT91SAM7S512	AT91SAM7S512	AT91SAM7S256	AT91SAM7S512	SAM7S512
Storage	512Kb SPI flash	512Kb SPI flash	256Kb SPI flash	External 2MBits / 512Kb SPI flash	External 2MBits / 256Kb SPI flash
Interface	1x mode LEDs, 1x button	4x mode LEDs, 1x button	4x mode LEDs, 1x button	1x RGB LED, 1x button	4x power LEDs, 4x mode LEDs, 1x button
Antennas	LF and HF Untuned, Internal	LF and HF Pretuned, Removable	LF Attached HF Integrated	LF and HF Pretuned, Internal	LF (125KHz): 70mm @ 65V HF (13.56MHz): 88mm @ 44V

^ "A Test Instrument for HF/LF RFID". cq.cx. Retrieved 2021-05-03.
^ Security Analysis of Near-Field Communication (NFC) Payments Dennis Giese, Kevin Liu, Michael Sun, Tahin Syed, Linda Zhang May 16, 2018
^ "Reverse Engineering and Security Evaluation of Commercial Tags for RFID-Based IoT".{{cite web}}: CS1 maint: url-status (link)
^ Gans, Gerhard de Koning; Hoepman, Jaap-Henk; Garcia, Flavio D. (2008-06-26). "A Practical Attack on the MIFARE Classic". arXiv:0803.2285 [cs].
^ "Proxmark 3 | Proxmark". proxmark.com. Retrieved 2021-05-03.
^ "Proxmark/proxmark3". GitHub. Retrieved 2021-05-03.
^ "Proxmark/proxmark3". GitHub. Retrieved 2021-05-04.
^ Proxmark/proxmark3, Proxmark, 2021-05-04, retrieved 2021-05-04
^ BlackAlps 2018: Unlocking Secrets Of The Proxmark3 RDV4.0 - Christian Herrmann And Kevin Barker, retrieved 2021-05-04

[1] "A Test Instrument for HF/LF RFID". cq.cx. Retrieved 2021-05-03.

[2] Security Analysis of Near-Field Communication (NFC) Payments Dennis Giese, Kevin Liu, Michael Sun, Tahin Syed, Linda Zhang May 16, 2018

[3] "Reverse Engineering and Security Evaluation of Commercial Tags for RFID-Based IoT".{{cite web}}: CS1 maint: url-status (link)

[4] Gans, Gerhard de Koning; Hoepman, Jaap-Henk; Garcia, Flavio D. (2008-06-26). "A Practical Attack on the MIFARE Classic". arXiv:0803.2285 [cs].

[5] "Proxmark 3 | Proxmark". proxmark.com. Retrieved 2021-05-03.

[6] "Proxmark/proxmark3". GitHub. Retrieved 2021-05-03.

[7] "Proxmark/proxmark3". GitHub. Retrieved 2021-05-04.

[8] Proxmark/proxmark3, Proxmark, 2021-05-04, retrieved 2021-05-04

[9] BlackAlps 2018: Unlocking Secrets Of The Proxmark3 RDV4.0 - Christian Herrmann And Kevin Barker, retrieved 2021-05-04

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]