Skip to content

Standalone mode

Iceman edited this page Nov 15, 2020 · 44 revisions

Introduction

The most curious concept of Proxmark3 is the standalone mode functionalities.

With a battery power option, your device can enter a custom standalone function. You don't need a PC/Laptop with the Proxmark3 client software. The standalone mode is usually limited to a certain function, e.g. reading and then emulating a Legic Prime RFID tag. This also means the user interaction with the device is limited to the LEDs and the button.

LEDS BUTTONPRESS
4 leds (A,B,C,D) short, long or multiple (twice)

All standalone modes uses this differently and is hard to find out what is what. Looking at the source code might help.

To enter the currently flashed standalone mode, press and hold the button until the LEDs play a short animation.

You can implement your own mode or you can use others already implemented modes. Have a look at https://github.com/RfidResearchGroup/proxmark3/blob/master/armsrc/Standalone/readme.md

For any iceman based repo the current most popular public standalone modes is quite easy to compile and install. In this repo its even easier than before. The default standalone mode is HF_MSDSAL.

Supported standalone modes

The following standalone modes are built in this repo.

STANDALONE DESCRIPTION AUTHOR non-RDV4 compatible
LF_SKELETON Standalone mode skeleton Iceman1001 Yes
LF_EM4100EMUL Simulate predefined EM4100 tags Artyom Gnatyuk Yes
LF_EM4100RSWB Read/simulate/brute/clone EM4100 tags Monster1024 Yes
LF_EM4100RWC Read/simulate/clone EM4100 tags Artyom Gnatyuk Yes
LF_HIDBRUTE HID corporate 1000 bruteforce Federico dotta & Maurizio Agazzini Yes
LF_ICEHID LF HID / IOprox / AWID / EM4100 collector to flashmem Iceman1001 No
LF_PROXBRUTE HID ProxII bruteforce Brad Antoniewicz Yes
LF_SAMYRUN HID26 read/clone/sim Samy Kamkar Yes
HF_14ASNIFF HF 14a sniff with to flashmem Michael Farrell No
HF_AVEFUL MIFARE Ultralight read/simulation Ave Ozkal Yes
HF_BOG HF 14a sniff with ULC/ULEV1/NTAG auth to flashmem Bogito No
HF_COLIN MIFARE ultra fast sniff/sim/clone to flashmem Colin Brigato No
HF_ICECLASS iCLASS 4-1 mode sim/read & dump/loclass/glitch & config to flashmem Iceman1001 No
HF_LEGIC Read/simulate Legic Prime tags (RDV4: + save to flashmem) Stefanie Hofmann & Uli Heilmeier Partially*
HF_MATTYRUN MIFARE sniff/clone Matías A. Ré Medina Yes
HF_MSDSAL (def) Read and emulate MSD Visa cards Salvador Mendoza Yes
HF_TCPRST IKEA Rothult ST25TA, Standalone Master Key Dump/Emulation Nick Draffen Yes
HF_YOUNG MIFARE sniff/simulation Craig Young Yes

* take notice, that some standalone modes takes advantage of RDV4 specific features which may or may not allow for a generic non-rdv4 device to use the mode. You will most likely read the source code to understand what is supported.

Activate/Change a standalone mode

The standalone modes can be switched in the file Makefile.platform. Only one standalone mode can be chosen at a time.

  • Rename Makefile.platform.sample -> Makefile.platform
  • Edit the "STANDALONE" row inside Makefile.platform. You need to uncomment it and chose a standalone mode.

A valid Makefile.platform could look like this:

PLATFORM=PM3RDV4
#PLATFORM_EXTRAS=BTADDON
STANDALONE=LF_EM4100RWC

After changing your standalone mode, don't forget to build and flash the code to the Proxmark3.

  • make clean
  • make -j
  • ./pm3-flash-fullimage

Additional information

Some community efforts has been done to document these.

@Hacker warehouse did a nice video on youtube.

Troy also has a nice image of the leds for LF SAMY_RUN.

A forum user detailed some modes.

The user @Tinker wrote a blogpost about badge cloning by Tinker.

Iceman, @herrmann1001, made a walkthru of the HF legic standalone mode and HF iceclass standalone mode.

The user @quentynblog made a nice video about the HF ST rothult standalone mode.

Development

If you want to write and implement your own standalone mode, the best starting point is to read and understand the readme document found here.

Home

Future

Roadmap
Wishlist

Standalone modes

Standalone mode

Commands help

More cheat sheets

Signal processing

Learn about signals

Clone this wiki locally