Home
Prox / RFID
[...markii] †
Verichips
Ladder Logic
SolveSpace (3d CAD)
SketchFlat (2d CAD)
Photographs
Miscellany
Resume / Consulting
Contact Me
Bookmark and Share

For Anything: proxmarkii

This device is obsolete; my proxmark3 replaces it completely. I will leave the description, but it is of only historical interest.

*              *              *    

My initial prox card `cloner' did the job, but it was not very general. Because I use analog circuitry to demodulate the signal from the antenna, the hardware is capable of dealing with only a single modulation scheme—BPSK, with the modulating frequency and bit times that I chose to work with the Flexpass cards. It has to be like that; the PIC is not powerful enough to do it any other way.

Since then I have built a considerably more general device. My new device is capable of working with nearly any kind of 125 kHz card, and many types of 13.56 MHz cards. It is also capable of bidirectional communication, so that it can send data from the reader to the tag. This is necessary to work with most of the newer tags, including any cryptographic tag. (Note, of course, that a tag that uses cryptographic techniques can resist any practical attempts to clone it over the air; but I can still talk to the tag, and do anything that its reader could, even if I cannot clone the thing.)

The system is based around an ARM7 microprocessor. I chose an AT91 part from Atmel, for its ease of integration—it has adequate on-chip flash and SRAM—and for its wide range of peripherals. In particular, the AT91SAM7S64 has a USB slave peripheral. That makes it convenient to send large amounts of data from the device to a PC, very quickly; for example, I can do an `oscilloscope view' of the signal from the tag, so that I can get some idea of what a tag is doing, without additional test equipment and before I write the code to demodulate that signal into bits.

A small amount of analog circuitry is used to fix the dynamic range of the signal from the antenna. This is the usual problem, that we receive the superposition of our transmitted carrier and the returned signal from the tag, and that we really just care about the latter. After that the signal goes straight into an A/D; all further processing is digital. To date I have tested against two different prox cards: a `Radionics' card with no other markings, and an HID Prox Card II. This is a waveform from the Radionics card:

It is easy to see that this card uses ASK. The Prox Card II uses slow FSK:

Since these were all ID-only cards, there was no need to demodulate the signal in real time. I therefore just transfer the samples to my PC, and convert them into bits over there.

I can also read or simulate TI-type tags; these tags communicate with the reader in a somewhat different way, so that special hardware was required to deal with them. Still, they seem to work fine:

The trace is not the raw signal from the ADC; it is the difference between the output powers of matched filters for the two FSK tones, so that it is basically a plot of the soft decision on the bit.

I designed this device to be as flexible as possible. Certainly, I can read or simulate most kinds of tags. In addition to this, the device is capable of working in `snoop' mode, in which it passively listens to signals from other RFID tags and readers. This is necessary to investigate `reader talks first' bidirectional tags—it is necessary to start out by snooping, to find out what the reader is saying to the tags, so that you can duplicate it.

There is circuitry to modulate the transmitted carrier, in order to send data to the tag. This is also what I use for the `simulated tag' modes. I use the synchronous serial port's data-out line as a sort of a 1-bit DAC. That allows me to queue up the desired pattern in a DMA buffer, and to send it from there to a serial port. The timing is therefore determined by the serial port, which is easily programmed, and not by processor cycle-counting, or something inconvenient like that.

The ARM7 at 48 MHz gives more than enough processing power. There is no need to be very efficient, so everything can be written in C. I used arm-elf-gcc, which generates more than good enough code. I wrote a bootrom, so that I can load new code over USB.

The hardware is not really that remarkable. It is a low-end RFID tag reader, with an interesting receive path, though with a curiously weak transmitter. The `simulated tag' modes are the only thing that is unique. Still, I expect that it will take a lot of the drudgery out of cloning ID-only tags, and it is really the only practical way to experiment with the more advanced transponders.

A commercial RFID tag reader offers no possibility to manipulate the lower layers of the protocol over the air; it just gives you the ID, or the piece of information that you requested, and it doesn't tell you what it went through that get that. For ID-only tags (like most low-frequency prox cards), the ID is really all that there is to know. Modern tags are more complex, though; they do things like anti-collision, or crypto, or addressable memory on the tag. As these more interesting tags become more prevalent, it seems terrible not to be able to know this, and that is not possible without either (a) getting schematics and code for a suitable commercial reader, or (b) starting from scratch. Option (a) did not seem plausible; I therefore started from scratch.

The hardware works, but so far I have been unfortunately lazy. I have written code to read and clone a few types of ID-only cards, but that's about it. I can program rewritable TI-type tags, but that's pretty easy; they barely talk back when you do. As far as I can tell, the hardware is perfect. The A/D that I thought might be too slow turned out to be too slow; my fallback plan, which was to sample only every other or (for BPSK at 62.5 kHz, where every other breaks down) every third 125 kHz cycle, works just as well in practice. A fast sample-and-hold is really more important than a fast A/D....

I run it off a lithium-poly cell, which can be recharged when the device is plugged in to USB. The user interface is a bit spartan, just three LEDs and a pushbutton. The smaller size is nice; it's no larger than a business card. Certainly this is a much more fun device to carry; you can read people's cards, and look at the 'scope view on your laptop, and reverse-engineer the protocol in real time. I have yet to do anything with a not-ID-only tag, which is somewhat pathetic.

As far as I know, it is not possible to buy a device like the one that I have described above, and an instrument like this is practically essential for anyone experimenting with the latest generation of transponders. If anyone is interested in doing low-level work with RFID tags, then you could presumably save some time by starting with the platform that I have built. I do have many extra bare boards. At some point I intend to freely distribute the schematics, layout, and software, but there is a lot that must first be cleaned up. I will see.

As an example of the capabilities of this device, I go through the steps involved in cloning a Verichip. This is the same sort of process that would be required to clone any kind of ID-only tag. For a bidirectional (e.g multipage or anticollision) tag, the process would be similar but more complex.

December 2005; Cambridge MA