# Proxmark Adventures 101

I've been out to purchase a Proxmark for a long time, I've even checked out the fake ones on Taobao and AliExpress. I've recently moved to China to proceed with my YOLO start-up adventure towards spreading the good old “Red Team”, or attack mindset, practical, and technique driven services.\
Since arriving in Shenzhen and Hong Kong, I've met many new friends. One day, [Kevin Mitnick](https://twitter.com/kevinmitnick) introduced me to [Dennis Goh](https://www.rfxsecure.com/) and [Olaf Tan](http://proxgrind.com/) – the creators of Proxmark 3 Rdv4.0.

The Proxmark 3 Rdv4.0 has been on Kickstarter for the past couple of months and had seen a surge of interest from both enthusiasts and security professionals.

[Kickstarter - Proxmark3 Rdv4.0](https://www.kickstarter.com/projects/1408815241/proxmark3-rdv-40)

## Disclaimer <a href="#disclaimer" id="disclaimer"></a>

Not a mega RFID expert here, terminology may be incorrect but the post is aimed to help those new to RFID and Proxmark usage understand.

## What is the Proxmark 3 Rdv4.0? <a href="#whatistheproxmark3rdv40" id="whatistheproxmark3rdv40"></a>

If you're in the security industry, you've probably already heard of the Proxmark. For those who haven't, here's a quick, simple background on the project and device. The Proxmark 3.0 Rdv4 is one of many revisions of the open-source Proxmark device project that is designed to allow for RFID reading, sniffing, and manipulation. RFID is widely used across many industries in many implementations – even more so in China. It's difficult to pass by a single day without having been in contact with at least multiple RFID technology enabled devices. The most common device I'd often see are doors, but there are also implementations in which RFID can be used to track purchases for next-generation stores that do not have tills. I've even found recently that some high-end luxury brands would use RFID for authenticity signatures.

In practical, yet simple terms, the Proxmark 3.0 RDv4 allows the user to read, and write the contents of RFID chips. One of the most common attacks that we'd utilise as an offensive security professional is cloning. Regardless of the encryption, as long as there's no time-based or OTP material, any encrypted contents, whether signed or not, can be simply cloned, replayed, and used to broadcast the same signal.

Some photos of the Proxmark 3.0 RDv4 project that Dennis and Olaf have been working on:

![](/files/-LP7T5hHVwPqA1_BGZld)

![](/files/-LP7T752JsWtCKwerP53)

![](/files/-LP7TA3f49q8M56Syw1-)

You might be thinking why there's no antenna. The RDv4 has an enclosure which prevents the device from being revealed. The device also supports standalone mode and can be concealed nicely for reading RFID data. The only issue is the proximity required to read. The current implementation and proximity can be utilised in an attack and would most definitely succeed. However, a long-range reader would be more effective given the theoretical transmission distances of each RFID type.

## Low Frequency vs High Frequency RFID <a href="#lowfrequencyvshighfrequencyrfid" id="lowfrequencyvshighfrequencyrfid"></a>

In general, there's two main RFID categories we work with. Low Frequency and High Frequency. Key facts for us to digest and understand:

* Low Frequency operates at 125kHz – 134.3 kHz and the theoretical read distance is usually 30cm to as low as 10cm.
  * Used for items such as door key fobs that we often see
* High Frequency operates at 13.56Mhz and the theoretical read distance is generally about 1m.
  * Used for items such as hotel door keys, and certain store membership cards.

Other RFID categories that I don't think Proxmark supports, but we should know exists:

* Ultra-High Frequency operates at 860 – 960 MHz. 1st generation read distance over 1m. 2nd generation read distance up to 12m. Newest generation read distance up to 50m.

## Getting the Proxmark 3 Rdv4.0 working <a href="#gettingtheproxmark3rdv40working" id="gettingtheproxmark3rdv40working"></a>

I had some issues getting the Proxmark 3 working out of the box. I tried to run it in Linux and the firmware wasn’t working, or something along those lines. I went and plugged into Windows and ran a firmware flash from the latest Gator package available here:\
<http://www.proxmark.net/forum/viewtopic.php?id=3975>

After doing so, running the client was fine. Just execute:\
`proxmark.exe <COM port>`\
To get the COM port just open devmgmt.msc and check the port the device is connected on.

## Cloning Low Frequency Tag <a href="#cloninglowfrequencytag" id="cloninglowfrequencytag"></a>

In this post I'll quickly go over a low frequency tag clone that I did for a target this week. I won’t go into high frequency in this blog post.\
Ensure device is working by using:\
`hw tune`\
Place target tag on reader. Type:\
`hw tune`\
If voltage goes down on either RF or LF, you know which frequency the tag is. If LF goes down, it's LF.\
To read the tag type:\
`lf search`\
Read the contents:\
`lf em 410xwatch`

Example:

```
Checking for known tags:

EM410x pattern found:

EM TAG ID      : A600YYYYY

Possible de-scramble patterns
Unique TAG ID  : 6C000215F5
HoneyWell IdentKey {
DEZ 8          : 0423xxxx
DEZ 10         : 000423xxxx
DEZ 5.5        : 000xx.xxxxx
DEZ 3.5A       : 05x.xxxxx
DEZ 3.5B       : 00x.xxxxx
DEZ 3.5C       : 06x.xxxxx
DEZ 14/IK2     : xxxx19xxxxxxxx
DEZ 15/IK3     : xxxxx38xxxxxxxx
DEZ 20/ZK      : xxxxxx000002xxxxxxxx
}
Other          : xxxx3_0x4_042xxxxx
Pattern Paxton : 9115xxxxx [0x36xxxxxx]
Pattern 1      : 840xxxx [0x80xxxx]
Pattern Sebury : 43xxx 6x 423xxxx  [0xAxxx 0x4x 0x4xxxx]

Valid EM410x ID Found!
```

Place the destination tag on the reader:\
`lf em 410xwrite <EMTAGID> 1`\
`lf em 410xwrite A600YYYYY 1`

## Conclusion <a href="#conclusion" id="conclusion"></a>

Okay, hope you all learned something. Hope to share more posts in the future as a result of Dennis and Olaf's work! They’ve got some pretty interesting gadgets in the pipeline – I'd definitely recommend looking out for!

## Credits <a href="#credits" id="credits"></a>

[Iceman](https://twitter.com/herrmann1001) - Proxmark\
0xFFFF - Proxmark\
Vincent Yiu

![](https://vincentyiu.co.uk/content/images/2018/07/qr.png)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.vincentyiu.com/red-team/hardware-and-gadgets/proxmark-adventures-101.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.