-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Standalone mode
The most curious concept of Proxmark3 is standalone mode.
If you can power your device from battery, you can run small modules from the PM3 itself, without needing a computer running the PM3 client.
These modules are usually limited to a single function, eg: "read and emulate a Legic Prime RFID tag". This also means the user interface is limited to the LEDs and the button:
| LEDS | BUTTON PRESS |
|---|---|
| 4 leds (A,B,C,D) | short, long or multiple (twice) |
All standalone modes use this differently, and it is hard to figure out what is what. Looking at the source code for each mode generally helps!
To enter the currently flashed standalone mode, press and hold the button until the LEDs play a short animation.
Warning: all standalone modes that target generic PM3 devices will lose data on power loss (or if the battery goes flat). Standalone modes that take advantage of RDV4-specific features can overcome this by storing data to flash.
For any iceman based repo the current most popular public standalone modes is quite easy to compile and install.
In this repo its even easier than before. The default standalone mode is HF_MSDSAL.
Table of built-in standalone modes:
| Module | Description | Author | Device target |
|---|---|---|---|
| LF_EM4100EMUL | Simulate predefined EM4100 tags | Artyom Gnatyuk | All |
| LF_EM4100RSWB | Read/simulate/brute/clone EM4100 tags | Monster1024 | All |
| LF_EM4100RWC | Read/simulate/clone EM4100 tags | Artyom Gnatyuk | All |
| LF_HIDBRUTE | HID corporate 1000 bruteforce | Federico dotta & Maurizio Agazzini | All |
| LF_HIDFCBRUTE | HID Facility Code bruteforce | ss23 | RDV4 |
| LF_ICEHID | LF HID / IOprox / AWID / EM4100 collector to flashmem | Iceman1001 | RDV4 |
| LF_NEXID | Nexwatch credentials detection mode | jrjgjk & Zolorah | RDV4 |
| LF_PROXBRUTE | HID ProxII bruteforce | Brad Antoniewicz | All |
| LF_SAMYRUN | HID26 read/clone/sim | Samy Kamkar | All |
| LF_SKELETON | Standalone mode skeleton | Iceman1001 | All |
| LF_THAREXDE | LF EM4x50 simulator/read standalone mode | tharexde | RDV4 |
| HF_14ASNIFF | HF 14a sniff to flashmem | Michael Farrell | RDV4 |
| [HF_14SNIFF][] | HF 15693 sniff to flashmem | Nathan Glaser | RDV4 |
| HF_AVEFUL | MIFARE Ultralight read/simulation | Ave Ozkal | All |
| HF_BOG | HF 14a sniff ULC/ULEV1/NTAG auth to flashmem | Bogito | RDV4 |
| HF_CRAFTBYTE | UID stealer - Emulates scanned 14a UID | Anze Jensterle | All |
| HF_COLIN | MIFARE ultra fast sniff/sim/clone to flashmem | Colin Brigato | RDV4 |
| HF_ICECLASS | iCLASS 4-1 mode sim/read & dump/loclass/glitch & config to flashmem | Iceman1001 | RDV4 |
| HF_LEGIC | Read/simulate Legic Prime tags (RDV4: + save to flashmem) | Stefanie Hofmann & Uli Heilmeier | All / RDV4 * |
| HF_MATTYRUN | MIFARE sniff/clone | Matías A. Ré Medina | All |
| HF_MFCSIM | MIFARE Classic simulate | Ray Lee | RDV4 |
| HF_MSDSAL | (default) Read and emulate MSD Visa cards | Salvador Mendoza | All |
| HF_REBLAY | 14A relay over BT | Salvador Mendoza | All |
| HF_TCPRST | IKEA Rothult ST25TA, Standalone Master Key Dump/Emulation | Nick Draffen | Yes |
| HF_TMUDFORD | Read and emulate ISO15693 card UID | Tim Mudford | All |
| HF_YOUNG | MIFARE sniff/simulation | Craig Young | Yes |
Warning: some standalone modes takes advantage of RDV4 specific features, which may not work on non-RDV4 devices. You will most likely need to read the source code to understand what is supported.
The standalone module can be switched in the file Makefile.platform. Only one standalone module can be chosen at a time.
-
Copy
Makefile.platform.sampletoMakefile.platform -
Edit the
STANDALONEvariable insideMakefile.platform. You need to uncomment it and chose a standalone mode. For example:PLATFORM=PM3RDV4 #PLATFORM_EXTRAS=BTADDON STANDALONE=LF_EM4100RWC
After changing your standalone mode, don't forget to build and flash the code to the Proxmark3:
make cleanmake -j./pm3-flash-fullimage
See: https://github.com/RfidResearchGroup/proxmark3/blob/master/armsrc/Standalone/readme.md
Some members of our community have produced text and video walk-throughs of these modules:
- @Hacker warehouse did a nice video on youtube.
- Troy also has a nice image of the leds for LF_SAMYRUN.
- TinkerSec blogged about HID Prox badge cloning.
- quentynblog made a video about the HF_TCPRST (IKEA Rothult) standalone module.
Learn the tools of the trade the hard way +Fravia