New stand-alone firmware/binaries available with HID cloning

samy · 2009-07-13 06:23:59

Peeps,

I've uploaded some new sources that provides a stand-alone mode for the proxmark3. The stand-alone mode allows you to record up to two separate HID tags and then replay them later (you need to keep power on as it doesn't write to flash yet...see my last post

This does NOT affect the standard mode when connected to your PC.

To get into stand-alone mode (works with or without a PC), hold the button for a second. You'll see the lights go into a synchronized little bit. When done, the red1 LED will be lit. When using a PC, debug output will be printed so you see what's going on.

When just red1 (next to the other two LEDs) is lit, that means slot 1 (red1) is selected.
When just orange is lit, that means slot 2 (orange) is selected.

When red2 is lit (and either red1/orange), that means the pm3 is recording and waiting for an HID tag to be detected. Once detected, the red2 light will turn off and the tag will be stored in the selected slot.
When green is lit (and either red1/orange), that means that specific slot is simulating the HID tag stored on that slot.

To record, hold down the button for 1 second until the red2 light comes on. This will record to the active slot (either red1 or orange).
To play, just press the button and the green light comes on for the selected slot.
To switch to either slot, press the button again. You may need to press twice (once to play the current slot, then to switch to the next slot).

So pressing four times would do:
red1 (selected 1) -> red1+green (playing 1) -> orange (selected 2) -> orange+green (playing 2) -> red1 (selected 1) ...

Sorry if it's bit confusing. Potentially easier to understand if you try it out. Again, won't affect normal operation.

You can grab the latest source (r50 or higher) or grab the Windows, Linux and firmware binaries here: http://proxmark3.googlecode.com/files/p … 12-r50.zip

duran97 · 2009-07-13 08:24:00

Well done!

samy · 2009-07-13 09:30:54

I have a bug fix for client mode where debugging wouldn't get printed out (only sometimes?)

http://code.google.com/p/proxmark3/down … 13-r52.zip

Additionally I've added a "readmem" function which will read memory from flash and display a few bytes at a time. Needs to be improved but just a function to get started with.

adam@algroup.co.uk · 2009-07-13 10:45:24

Very cool! Tested against my OmniKey 5325 and various HID tag types and it worked like a charm...

adam@algroup.co.uk · 2009-07-13 13:15:03

I hope you don't mind but I've taken the liberty of tweaking the code slightly so that button presses are now not timing dependent... I was finding it hard to reliably switch from one mode to another, so it now waits for the button to be released before making a decision as to what just happened...

I've also added the ability to exit back to the main program without having to reset the PM3, which you do by holding down the button whilst in 'play' mode - i.e. when the green light is on.

samy · 2009-07-13 19:06:39

Adam, I saw that, thanks! Yeah, my button press code was a little finicky, thanks for cleaning that up!

Also a little bit more usage for developers, you'll notice we have two new button press options -- button holding and a double click feature (when BUTTON_CLICKED() returns BUTTON_DOUBLE_CLICK)

This brings us to button press, double button press, and button hold (which can be for variable amount of time, but 1000ms seems reasonable). I haven't used the double click for anything yet, though.

I think I still have an issue with USB detection. DbgPrint statements stop the PM3 from operating if not actually connected to a PC, but I wasn't correctly detecting if it's connected or not.

Anyone know the correct way to detect if the PM3 is connected to a computer or not (non-blocking, of course

ryan · 2009-07-14 06:27:26

Samy mode seems to work fine when connected to a USB battery charger after uncommenting the if (!usbattached) line and the line below it in DbpString and DbpInteger. I'm assuming these lines commented out for a reason. Anybody know why? I don't see anything obviously broken by doing this.

void DbpString(char *str)
{
  /* this holds up stuff unless we're connected to usb */
  if (!usbattached)
    return

samy · 2009-07-14 06:57:21

I think if they're uncommented and you run it with a PC, any debug output won't display any more (such as when running hidfskdemod).

I have to determine when a USB device is really attached or not and I don't think my method was working properly (those lines). However, commenting those out, it should work great with just a battery. I tested this morning against an HID reader for a garage door system.

I'll be working on getting it to write the read cards to flash soon, however I wrote over my bootrom today so I can't do any development until I get a JTAG cable. Hopefully in the next few days!

ryan · 2009-07-31 23:00:40

Hey guys I found a non-blocking way to check for USB connectivity through the CPU registers. Patches for appmain.c, usb.c, and proxmark3.h are included below. I tested this out and I can now enter stand-alone mode whether usb is attached to a PC or not.

diff -u -N ../proxmark3-read-only/armsrc/appmain.c armsrc/appmain.c
--- ../proxmark3-read-only/armsrc/appmain.c 2009-07-31 16:24:40.000000000 -0500
+++ armsrc/appmain.c 2009-07-31 16:53:08.000000000 -0500
@@ -13,7 +13,6 @@
#include "LCD.h"
#endif

-int usbattached = 0;

//=============================================================================
// A buffer where we can queue things up to be sent through the FPGA, for
@@ -64,8 +63,8 @@
void DbpString(char *str)
{
/* this holds up stuff unless we're connected to usb */
-// if (!usbattached)
-// return;
+ if (!UsbConnected())
+ return;

UsbCommand c;
c.cmd = CMD_DEBUG_PRINT_STRING;
@@ -80,8 +79,8 @@
void DbpIntegers(int x1, int x2, int x3)
{
/* this holds up stuff unless we're connected to usb */
-// if (!usbattached)
-// return;
+ if (!UsbConnected())
+ return;

UsbCommand c;
c.cmd = CMD_DEBUG_PRINT_INTEGERS;
@@ -266,7 +265,7 @@

for (;;)
{
- usbattached = UsbPoll(FALSE);
+ UsbPoll(FALSE);
WDT_HIT();

// Was our button held down or pressed?
@@ -723,7 +722,7 @@
#endif

for(;;) {
- usbattached = UsbPoll(FALSE);
+ UsbPoll(FALSE);
WDT_HIT();

if (BUTTON_HELD(1000) > 0)

diff -u -N ../proxmark3-read-only/include/proxmark3.h include/proxmark3.h --- ../proxmark3-read-only/include/proxmark3.h 2009-07-31 16:24:36.000000000 -0500
+++ include/proxmark3.h 2009-07-31 16:28:18.000000000 -0500
@@ -52,6 +52,7 @@
// USB declarations

void UsbSendPacket(BYTE *packet, int len);
+BOOL UsbConnected();
BOOL UsbPoll(BOOL blinkLeds);
void UsbStart(void);

diff -u -N ../proxmark3-read-only/common/usb.c common/usb.c
--- ../proxmark3-read-only/common/usb.c 2009-07-31 16:24:42.000000000 -0500
+++ common/usb.c 2009-07-31 16:27:38.000000000 -0500
@@ -436,6 +436,14 @@
}
}

+BOOL UsbConnected()
+{
+ if( UDP_GLOBAL_STATE & UDP_GLOBAL_STATE_CONFIGURED)
+ return TRUE;
+ else
+ return FALSE;
+}
+
BOOL UsbPoll(BOOL blinkLeds)
{
BOOL ret = FALSE;

samy · 2009-08-01 03:02:19

Awesome ryan, thanks.

I just tried testing but my pm isn't flashing anything, just sits at "...no device connected, polling for it now". Great.

Will have to wait till I'm home from defcon till I can JTAG and then re-test. Once I test I'll go ahead and check it in.

n0t · 2009-11-21 20:07:38

Nice work samy it works great!

d18c7db · 2009-11-22 23:25:46

Also this standalone mode might be interesting wink wink nudge nudge

samy · 2009-11-23 07:13:43

d18, are you a hand model?

Let me know when that's up! I need to get an LCD first I suppose...

n0t · 2009-11-24 16:26:35

d18c7db really nice!
Is that a microsd slot?
Can you save the results too?

I gonna add a touch screen!

samy does your source work using a battery?

samy · 2009-11-24 19:45:57

n0t, yeah, it was made to be used with just a USB power source.

I have two different Lenmar USB batteries that work pretty well. I can fit the proxmark3, the battery, all hooked up into an altoid case which is pretty convenient, with space to spare.

I just need to add the ability to write to flash so you can turn it off and on and still be able to replay the previous tags you've captured (right now you have to keep the power source on to replay)

n0t · 2009-11-30 04:03:37

Just finished making my battery; hooked it up to a male and female usb connector with a switch.
When I turn the switch on it powers the pm; and when off it charges the battery via usb port and usb data is also passed through.
This way I don't need to write to any flash. Just scan a couple of tags when on battery and hook it up to my computer to save the results.

sammy any way you can incorporate ryan's code to make it work using a battery?

EDIT:
Nevermind I changed the code myself.

Last edited by n0t (2009-12-17 22:54:07)

Proxmark3 community

Announcement

#1 2009-07-13 06:23:59

New stand-alone firmware/binaries available with HID cloning

#2 2009-07-13 08:24:00

Re: New stand-alone firmware/binaries available with HID cloning

#3 2009-07-13 09:30:54

Re: New stand-alone firmware/binaries available with HID cloning

#4 2009-07-13 10:45:24

Re: New stand-alone firmware/binaries available with HID cloning

#5 2009-07-13 13:15:03

Re: New stand-alone firmware/binaries available with HID cloning

#6 2009-07-13 19:06:39

Re: New stand-alone firmware/binaries available with HID cloning

#7 2009-07-14 06:27:26

Re: New stand-alone firmware/binaries available with HID cloning

#8 2009-07-14 06:57:21

Re: New stand-alone firmware/binaries available with HID cloning

#9 2009-07-31 23:00:40

Re: New stand-alone firmware/binaries available with HID cloning

#10 2009-08-01 03:02:19

Re: New stand-alone firmware/binaries available with HID cloning

#11 2009-11-21 20:07:38

Re: New stand-alone firmware/binaries available with HID cloning

#12 2009-11-22 23:25:46

Re: New stand-alone firmware/binaries available with HID cloning

#13 2009-11-23 07:13:43

Re: New stand-alone firmware/binaries available with HID cloning

#14 2009-11-24 16:26:35

Re: New stand-alone firmware/binaries available with HID cloning

#15 2009-11-24 19:45:57

Re: New stand-alone firmware/binaries available with HID cloning

#16 2009-11-30 04:03:37

Re: New stand-alone firmware/binaries available with HID cloning

Board footer