PROXDROID SOURCE CODE
(based on proxmark3 source code r839)
This source code contains all stuff including the necessary readline and termcap code; the only missing thing is the official proxmark3 source code folder you can find HERE.
To correctly compile this source code (link available at the very end of this post) you need to install Android NDK (tested under NDK r9 - July 2013). I suggest to install NDK into a "no-space-between-names" folder (ex. D:\NDKr9 and not D:\NDK r9) to avoid possible "missing file" problems.
When you correctly installed it you need to:
-1- copy proxdroid folder into NDK \samples folder (ex. D:\NDKr9\samples\proxdroid)
-2- move out in a safe place the file llex.c you can find in \samples\proxdroid\trunk\proxmark3\liblua\
-3- copy the offical proxmark3 source code folder inside the trunk folder (ex. D:\NDKr9\samples\proxdroid\trunk\proxmark3\here-all-source-files+folders)
-4- overwrtie original \samples\proxdroid\trunk\proxmark3\liblua\llex.c with the modified llex.c you moved at step 2
-5- go to ndk root folder (es. D:\NDKr9\) and execute the following commands using a dos shell window (this example is good if you have NDK installed in D:\NDKr9 folder):
set PATH=D:\NDKr9\;%PATH% cd samples cd proxdroid cd trunk ndk-build
-6- compiled files [proxmark3; libreadline.so; libtermcap.so] can be found in \libs\armeabi folder (ex. D:\NDKr9\proxdroid\trunk\libs\armeabi).
When you compile a new version I suggest you to clean the previous make command using the ndk-build clean command and then re-send commands at step 5 to compile the new version.
Android installation instructions can be found in the 1st post of this thread.
Many many thanks to marcv81 for the original project sources (no more updated since r653 release) and to jonor for making sure that all of this was possible !!
No support will be given for this source code !
Consecutive dumps of the same tag are needed to better understand; anyway tomorrow I will try to compare what you just posted, thank you.
for each tag you should send the ISO15693 raw command:
hf 15 cmd sysinfo -2 u
and post the answer from the tag.
Also day and time are important so, if possible, when you use the tag with the turnstile, remember or write down somewhere date and time of the single passage (after a single passage you should read tag content [dump] to see what changes).
1) An elementary time unit (ETU) is the nominal bit duration used in the character frame.
3) Probably non-meaningful bad exchanges (need a dev confirmation).
4) You cannot simulate a transaction, you can emulate a tag or a reader, not both at the same time; using bytes aboce you can make pm3 act as a mifare card with that UID; if you need to know how to emulate or how to act as a reader have a look at pm3 documentation pages (for example here).
Yes bruteforcing is supported for that tag but can take years to test all possible passwords (the software doesn't crack password, only try to bruteforce it testing all possible ones).
Sniffing communication is possible, search un this forum. Sniffing commands should let you know what kind of situation you have (kind of security).
Datasheet is public: http://www.emmicroelectronic.com/webfiles/product/rfid/ds/EM4233SLIC_DS.pdf
It is for the "reduced version" calle SLIC that is missing some functions but I think you can find all other answers you need there.
The answer he gave you is true only if it is a special changeable uid card (special commands needed); in that case the card description is not correct; ikarus app makes an nfc capable phone (with nxp chip inside, not broadcom ones) behaving just like a "professional" reader/writer. In my opinion you should ask your money back!
Hi dears, expecially Roel,
I re-read with interest the "gone in 360 seconds" documents and I would like to ask a question about that sentence:
Following the principle of responsible disclosure, we
have contacted the manufacturer NXP and informed
them of our findings six months ahead of publication.
We have also provided our assistance in compiling a document
to inform their customers about these vulnerabilities.
The communication with NXP has been friendly
and constructive. NXP encourages the automotive industry
for years to migrate to more secure products that
incorporate strong and community-reviewed ciphers like
In particular is it possible to read the letter and the correspondant NXP answer/s and "encourages" to automotive industry ? Is a link available ?
Well, try gather more info and I will add them (please be sure you have info about all the datasheet fields to suggest a new tag as you did for the previous); search for info is really time-consuming, you cannot simply come here and say "here it is the name", if you have few/no info there is no way to add it to the list, I think you will understand
Thanks for pointing out !
I managed to find some "categories" for those RI-TRP transponders, and the letter after TRP- is the meaningful one; I am updating the list accordingly and looking for other infos (unfortunately most of the official datasheets seems to be offline).
I compiled a quite extensive list of the most famous RFID tags present nowadays (more than 300 ICs).
The list is divided in:
- MANUFACTURER - Type/Model - Frequency - Description - Standard/Notes - Security;
- 1st sheet is a comprehensive listing;
- Separate sheets describes each manufacturer products;
All info are taken directly by official manufacturer datasheets or by official papers written by researchers that you can find on the net (human transcription errors can occur so verify before assuming them as correct !).
The list is write-protected to avoid messing up. Me and 0xFFFF have write access. Here are some screenshots:
and HERE you can consult it online.
If you need write access send me you gmail account username.
If you have any suggestion/correction/addition please answer this thread, me or 0xFFFF will try to integrate it.
It can be; user must try to read the tag as an EM4100 and see if the format he has [E1111 003 26209] can be "decoded" as the other thread or in a similar way. Obviously it is not the same (1st value is 10 digits on the other card but maybe they omitted zeroes). Anyway I corrected my previous post.