User:Miecerinos/sandbox/proxmark3

Proxmark3 is an open source hardware platform for research and pentest of most types of RFID systems originally designed by Jonathan Westhue. Using an FPGA technology allows Proxmark3 to be reconfigured for a variety of tasks, including reading and writing data using the main RFID protocols, as well as data intercepting between the card and the reader.

Proxmark3 hardware description
This device supports both low frequency (125 kHz-134 kHz) and high frequency (13.56 MHz) signal processing. This is achieved by implementing two parallel antenna circuits that can be used independently. Both circuits are connected to a 4-pin Hirose connector which functions as an interface to an external loop antenna. For the purpose of acting like a PCD or reader it is possible to drive the antenna coils with the appropriate frequency. This is not needed when the Proxmark is used for sniffing or when it emulates a card. In that case the field is generated by a reader.

The signal from the antenna is routed through a Field Programmable Gate Array (FPGA). This FPGA relays the signal to the microcontroller and can be used to perform some filtering operations before relaying. The software implementation allows the Proxmark to eavesdrop communication between an RFID tag and a reader, to emulate a tag and to emulate a reader.

Despite the basic hardware support for these operations the actual processing of the digitized signal and (de)modulation needs to be programmed for each specific application.

Antennas
The proxmark supports two loop antennas that are each used to transmit and receive. One is used for LF (125kHz and 134kHz frequencies) and another for HF (13.56MHz). Antennas should be connected to a proprietary Hirose connector. A homegrown antenna does not have to connect through the Hirose connector and can be soldered directly to the test points on the PCB.

Analog to Digital Converter
The analog signal that comes from the antenna circuit is fed into an 8-bit Analog to Digital Converter (ADC). This delivers 8 output bits in parallel which represent the current voltage retrieved from the field.

Field Programmable Gate Array
The 8 output pins from the ADC are connected to 8 pins of the Field Programmable Gate Array (FPGA). An FPGA has a great advantage over a normal microcontroller in the sense that it emulates hardware. A hardware description can be compiled and flashed into an FPGA.

Because basic arithmetic functions can be performed fast and in parallel by an FPGA it is faster than an implementation on a normal microcontroller. Only a real hardware implementation would be faster but this lacks the flexibility of an FPGA.

The FPGA can therefore be seen as dynamic hardware. It is possible to make a hardware design and flash it into the memory of the FPGA. This gives some major advantages :


 * "Hardware" errors can be corrected, the FPGA can be flashed with a new hardware design.
 * Although not as fast as a real hardware implementation, an FPGA is faster than its equivalent on a microprocessor. That is, it is specialized for one job.

The FPGA has two main tasks. The first task is to demodulate the signal received from the ADC and relay this as a digital encoded signal to the ARM. Depending on the task this might be the demodulation of a 100% Amplitude Shift Keying (ASK) signal from the reader or the load modulation of a card. The encoding schemes used to communicate the signal to the ARM are Modified Miller for the reader and Manchester encoding for the card signal.

The second task is to modulate an encoded signal that is received from the ARM into the field of the antenna. This can be both the encoding of reader messages or card messages. For reader messages the FPGA generates a electromagnetic field on power hi and drops the amplitude for short periods.

Microcontroller
The microcontroller is responsible for the protocol part. It receives the digital encoded signals from the FPGA and decodes them. The decoded signals can just be copied to a buffer in the EEPROM memory. Additionally, an answer to the received message can be send by encoding a reply and communicating this to the FPGA.

The microcontroller (ARM) implements the transport layer. First it decodes the samples received from the FPGA. These samples are stored in a Direct Memory Access (DMA) buffer. The samples are binary sequences that represent whether the signal was high or low. The software on the ARM tries to decode these samples. When the Proxmark is in sniffing mode this is done for both the Manchester and Modified Miller at the same time. Whenever one of the decoding procedures returns a valid message, this message is stored in another buffer (BigBuf ) and both decoding procedures are set to an unsynced state. The BigBuf is limited to the available memory on the ARM. In the current firmwares, 40 KB of memory is reserved for the traces (Besides the traces the buffer also stores some temporary data that is needed in the processing). When the BigBuf buffer is full the function normally returns. A new function call from the client is needed to download the BigBuf contents to the computer. The BigBuf is especially useful for protocol investigation. Every single message is stored in this buffer. When a card is emulated or when the Proxmark is used as a reader the BigBuf can be used to store status messages or protocol exceptions.

USB
The USB interface interconnects the Proxmark with an external power supply and / or a computer for advanced functionality.

Antenna connector
The antenna connector is a Hirose Electric low profile, surface mount, right-angle 4 pin connector. This connector allows for the simultaneous connection of a low and high frequency antenna.