Introduction
The most curious concept of Proxmark3 is standalone mode.
If you can power your device from battery, you can run small modules from the PM3 itself, without needing a computer running the PM3 client.
These modules are usually limited to a single function, eg: "read and emulate a Legic Prime RFID tag". This also means the user interface is limited to the LEDs and the button:
| LEDS | BUTTON PRESS |
|---|---|
| 4 leds (A,B,C,D) | short, long or multiple (twice) |
All standalone modes use this differently, and it is hard to figure out what is what. Looking at the source code for each mode generally helps!
To enter the currently flashed standalone mode, press and hold the button until the LEDs play a short animation.
Warning: all standalone modes that target generic PM3 devices will lose data on power loss (or if the battery goes flat). Standalone modes that take advantage of RDV4-specific features can overcome this by storing data to flash.
Supported standalone modes
For any iceman based repo the current most popular public standalone modes is quite easy to compile and install.
In this repo its even easier than before. The default standalone mode is LF_SAMYRUN.
Table of built-in standalone modes:
| Module | Description | Author | Device target |
|---|---|---|---|
| LF_EM4100EMUL | Simulate predefined EM4100 tags | Artyom Gnatyuk | All |
| LF_EM4100RSWB | Read/simulate/brute/clone EM4100 tags | Monster1024 | All |
| LF_EM4100RSWW | Read/write/clone/validate/wipe EM4100 tags | Łukasz "zabszk" Jurczyk | All |
| LF_EM4100RWC | Read/simulate/clone EM4100 tags | Artyom Gnatyuk | All |
| LF_HIDBRUTE | HID corporate 1000 bruteforce | Federico dotta & Maurizio Agazzini | All |
| LF_HIDFCBRUTE | HID Facility Code bruteforce | ss23 | RDV4 |
| LF_ICEHID | LF HID / IOprox / AWID / EM4100 collector to flashmem | Iceman1001 | RDV4 |
| LF_MULTIHID | LF HID 26 Bit (H1031) multi simulator | Shain Lakin | All |
| LF_NEDAP_SIM | LF Nedap ID simple simulator | Benjamin gentilkiwi DELPY |
All |
| LF_NEXID | Nexwatch credentials detection mode | jrjgjk & Zolorah | RDV4 |
| LF_PROXBRUTE | HID ProxII bruteforce | Brad Antoniewicz | All |
| LF_PROX2BRUTE | HID ProxII bruteforce v2 | Yann Gascuel | All |
| LF_SAMYRUN | HID26 read/clone/sim | Samy Kamkar | All |
| LF_SKELETON | Standalone mode skeleton | Iceman1001 | All |
| LF_THAREXDE | LF EM4x50 simulator/read standalone mode | tharexde | RDV4 |
| HF_14ASNIFF | HF 14a sniff to flashmem | Michael Farrell | RDV4 |
| HF_14BSNIFF | HF 14b sniff to flashmem | Jacopo Jannone | All |
| HF_15SNIFF | HF 15693 sniff to flashmem | Nathan Glaser | RDV4 |
| HF_AVEFUL | MIFARE Ultralight read/simulation | Ave Ozkal | All |
| HF_BOG | HF 14a sniff ULC/ULEV1/NTAG auth to flashmem | Bogito | RDV4 |
| HF_CARDHOPPER | Relay 14a protocols over long distances (w/ IP backbone) | Sam Haskins | RDV4 |
| HF_COLIN | MIFARE ultra fast sniff/sim/clone to flashmem | Colin Brigato | RDV4 |
| HF_CRAFTBYTE | UID stealer - Emulates scanned 14a UID | Anze Jensterle | All |
| HF_ICECLASS | iCLASS 4-1 mode sim/read & dump/loclass/glitch & config to flashmem | Iceman1001 | RDV4 |
| HF_LEGIC | Read/simulate Legic Prime tags (RDV4: + save to flashmem) | Stefanie Hofmann & Uli Heilmeier | All / RDV4 * |
| HF_LEGICSIM | Simulate Legic Prime tags | Uli Heilmeier | RDV4 |
| HF_MATTYRUN | MIFARE sniff/clone | Matías A. Ré Medina | All |
| HF_MFCSIM | MIFARE Classic simulate | Ray Lee | RDV4 |
| HF_MSDSAL | (default) Read and emulate MSD Visa cards | Salvador Mendoza | All |
| HF_REBLAY | 14A relay over BT | Salvador Mendoza | All |
| HF_TCPRST | IKEA Rothult ST25TA, Standalone Master Key Dump/Emulation | Nick Draffen | All |
| HF_TMUDFORD | Read and emulate ISO15693 card UID | Tim Mudford | All |
| HF_UNISNIFF | Multimode HF sniffer with optional flashmem & runtime select | Hazardousvoltage | All |
| HF_YOUNG | MIFARE sniff/simulation | Craig Young | All |
| DANKARMULTI | Load multiple standalone modes | Daniel Karling | All |
Warning: some standalone modes takes advantage of RDV4 specific features, which may not work on non-RDV4 devices. You will most likely need to read the source code to understand what is supported.
Installing a different standalone module
The standalone module can be switched in the file Makefile.platform. Only one standalone module can be chosen at a time.
-
Copy
Makefile.platform.sampletoMakefile.platform -
Edit the
STANDALONEvariable insideMakefile.platform. You need to uncomment it and chose a standalone mode. For example:PLATFORM=PM3RDV4 #PLATFORM_EXTRAS=BTADDON STANDALONE=LF_EM4100RWC
After changing your standalone mode, don't forget to build and flash the code to the Proxmark3:
make cleanmake -j./pm3-flash-fullimage
Writing your own
See: https://github.com/RfidResearchGroup/proxmark3/blob/master/armsrc/Standalone/readme.md
Additional information
Some members of our community have produced text and video walk-throughs of these modules:
- @Hacker warehouse did a nice video on youtube.
- Troy also has a nice image of the leds for LF_SAMYRUN.
- TinkerSec blogged about HID Prox badge cloning.
- quentynblog made a video about the HF_TCPRST (IKEA Rothult) standalone module.
Future
Standalone modes
Commands help
Signal processing
Learn the tools of the trade the hard way +Fravia