It's no secret; I'm a fan of the Proxmark 3 RFID testing board. It's a device straight out of the movies; copy someone's badge, change modes, replay their badge ID, Bam. Door opens, in we go. You may have seen the blog I wrote in September, "Getting in with the Proxmark 3 and ProxBrute". If not, check it out.
Proxmark 3's "stand alone" mode is particularly awesome, allowing completely autonomous operation of the Proxmark 3 without the need for a computer. This mode allows the Proxmark to copy and replay up to two RFID tag IDs without the added bulk of schlepping around a computer. However, there are a couple of caveats to standalone mode. First, due to a limitation of the hardware, standalone mode is only able to read and store two tags at a time, one in each available slot. The second limitation is that these tags will not persist in storage if the device loses power. If your battery dies or accidentally becomes unplugged, goodbye hard work.
This is all well and good in a controlled test environment, where you can simply re-read the tags you are tinkering with. But in the field, where every attempt to read a tag off of a badge an employee is wearing is another opportunity to get detected. Or, pepper-sprayed in the face if your target is none too keen on you getting the antenna within the inch or less antenna read range of their badge.
I set out to configure a deployment that was hand held, allowed me to store as many unique tags as I was willing to read, and to allow all of those tags to persist across a power-loss event. Now, I'm not much of a programmer, and I'm certainly not about to redesign the Proxmark board to address these issues.
As I pondered my problem, I watched Kyle Osborn's excellent talk on Peer-to-peer Android Debugging , wherein he uses an "On The Go" USB cable to mount an Android phone to another Android phone for exploitation. Android phone, eh? Small, battery powered, very hackable… this could work. I've got an HTC One V Android phone, I wondered if I can use that to meet my functionality requirements on a portable, more flexible Proxmark 3 rig? Sure! The Proxmark 3 client has the native ability to log to a text file on the client device's operating system, which means we can read all of the tags we want and store them to disk on the phone. Multiple tags can be stored and will persist across a power-loss event. And the added benefit is that the native client has more functionality than standalone mode, making it more extensible in the field.
What I needed was a way to get the Proxmark 3 client software running on the phone. Then I needed a way to get the phone to actually detect the Proxmark 3 board as a usable device.
Before going any further, I had to determine if the HTC One V even supports USB host mode, allowing USB peripherals to be attached to the phone. Officially, the stock HTC One V kernel does not support USB host mode. However, a custom kernel on a rooted HTC One V will work, with some hacking. The following steps allowed me to get an HTC One V (and possibly other Android phones) to work as a Proxmark 3 portable platform.
This process is not incredibly difficult, especially because of the variety of guides and "all-in-one" tools available to make the process painless. I'm not going to document the entire process, as it is out of scope of this article, and other people have already documented the process. One particularly excellent guide was written by Hackajar, from the Vegas 2.0 hacker collective. He documents the process of rooting the Defcon 20 "Ninja Phone" from Ninja Networks. This phone is an HTC One V and is the same model I used in my tinkerings, so his article is a great place to start. You can find his article here.
As I mentioned before, the stock HTV One V kernel does not support USB host mode. A developer named "maxwen" at the xda-developers.com forums has dedicated his time to creating a custom android kernel with some additional useful features, including USB host support. Full documentation of his custom kernel can be found at his forum post here, where he provides a linked to a precompiled version. For users who prefer to review and compile their own source code, that can be found at his github. This kernel needs to be flashed to the phone using fast boot, which requires the android SDK to be installed first. Installing the SDK is outside of the scope of this article, but information can be found here.
Once the SDK is installed and is located within your operating system's $PATH, you'll need to boot your phone into fast boot mode. I used the ClockWorkMod Launcher to put my One V into fast boot. Instructions can be found here. Instructions to flash the kernel with fast boot can be found here.
In order to get the phone to recognize USB peripherals, I needed a special cable. This cable is referred to as an "On The Go" cable. With an OTG cable, the device (in this case the phone) can switch between acting as a USB host or a USB slave. I ordered an OTG cable off of Amazon, where they can be found as inexpensively as $0.82. The less expensive cables are not eligible for Prime, and ship from China, so be prepared for a long wait. The cable I ordered was $12 but was Prime eligible and I received it within two days. The exact cable I ordered can be found here and I can confirm that it works well.
Once the new kernel was installed, I tested the kernel to make sure USB devices are being recognized by the kernel. I installed the app "USB Host Controller", available for free from the Google Play Store. I hooked the Proxmark 3 to the phone using the OTG Cable and an external hard-drive USB cable, with the "power" end of the split cable hooked into my computer's USB (for power) and the other end hooked into the OTG cable's female port. The mini-USB port is hooked into the Proxmark 3. While the "Info" tab of USB Host Controller reported an error loading the driver, the "USB" tab did in fact show the phone recognized the Proxmark 3.
The Proxmark 3 client application does not run on Android. There's a Linux version, but rather than trying to cross-compile the client (remember, I'm not a great programmer) I opted for the lazy route - I installed a chrooted Linux environment right onto the phone's microSD card. This process is extremely straight forward and pain free using "Complete Linux Installer", an Android app available for free from the Google Play Store. Once downloaded, run the app and follow the download guide to download the Linux image of your choice.
I chose to use the Ubuntu 12.04 image because that image already has native support for the Proxmark 3 client dependencies, namely the correct version of libusb. You can probably use a different image if you hate on Ubuntu, but this is the route I went. Don't judge me. I didn't need the full X Windows GUI, so I installed the "Core Ubuntu Image". This is a bare bones version of the OS and is quite a small footprint, requiring only a two hundred megabyte download. The image, once extracted, uses 750 megabytes of space on the microSD card, with about 400 megabytes of free space. Perfect.
In order for the chrooted environment to see the phone's attached peripherals, I had to mount a few directories into the chroot environment. The easiest way to do this was to edit the boot script Total Linux Installer uses to mount and launch the images. The file can be found at the following path on your Android device:
/data/data/com.zpwebsites.linuxonandroid/files/bootscript.sh
I used "adb shell" from the Android SDK to get a root shell on the phone, and then edited the boot script with vi. I scrolled down about halfway through the file until I come to the section entitled "Mount all required partitions" (beginning at line 128 in my copy of the script). This portion is found just after the "Set up loop device and mount image" section, and just before the "Checks if you have a external SD card and mounts it if you do" section. I inserted the following lines:
# Josh Mounts $bbox mount -o bind /dev $mnt/dev $bbox mount -o bind /sys $mnt/sys $bbox mount -o bind /system $mnt/system
If all goes well, and it should, the chrooted images will now have access to the peripherals attached to the Android via the OTG cable. I then launched my chrooted distro via "Total Linux Installer".
Once inside my chrooted environment I needed to install a few dependencies. First, I needed to make sure I was up to date on our repositories and packages. I ran the following commands:
apt-get updateapt-get upgrade
Once the update finished, it was time to actually install the packages. As root (and unless you created another user, you should be root anyway), I ran the following:
apt-get install build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev perl pkg-config subversion
This should work fine if you used the Ubuntu 12.04 Core image. If it didn't, stop and troubleshoot, but you're on your own. Once the dependencies were installed, I then downloaded the latest source trunk of the Proxmark 3 client.
cd /root # or whichever directory you'd like to save the code tosvn co http://proxmark3.googlecode.com/svn/trunk proxmark-trunk
This should work fine if you used the Ubuntu 12.04 Core image. If it didn't, stop and troubleshoot, but you're on your own. Once the dependencies were installed, I then downloaded the latest source trunk of the Proxmark 3 client.
These commands downloaded the latest source code into a directory called proxmark-trunk. Next I needed to compile the client. I tried to compile the entire package, but the ARM and FPGA source code will fail to compile without additional tweaking of the Makefile code. I've not yet gotten around to getting this to compile natively. If you get it working, comment here and I'll update the blog.
cd proxmark-trunk/clientmake
This compiled the Proxmark 3 client applications, including the flasher application and the one-off "cli" application. Everything went well for me, but your mileage may vary.
Now that the client had been compiled, it was time to test it all out. I hooked the Proxmark 3 up to a power source and the OTG cable via the USB Y-Cable, and connected the OTG cable into the phone. I then launched "USB Host Controller" via Android and selected the "USB" tab to ensure that the phone recognized the Proxmark board (you may have to refresh this tab).
Once the phone recognized the board, I returned to my chrooted environment and the Proxmark3 client directory. I initiated the proxmark3 app with "./proxmark3" and, hopefully, you should see the client recognize a Proxmark board with the text "Connected Units: 1. SN: Changeme [001/002]".
I was then able to run the Proxmark 3 from my Android phone. The "proxmark3" application creates a text log file in the "client" directory, which will contain all of the output from this command. Now I can read and write tags to my heart's content and have a record of everything I've done. If the power supply feeding the Proxmark files, the Android battery will keep the client running and the log file will be written to the microSD card for later review.
Here are photos of my new highly portable, extremely extensible Proxmark 3 rig. While it's slightly larger than the standalone "Proxmark and a battery" rig, the additional functionality makes this platform highly appealing.
While this article is aimed specifically at getting the Proxmark 3 playing nicely with the Android phone, the possible applications are quite diverse. Once the chrooted environment is configured and the proper Android device directories are mounted into that environment, the sky is the limit. I've used this same Linux instance to run software defined radios, external USB wireless interfaces, and a whole lot more. The Android phone has now become a portable pocket linux hacking platform. Some devices will require additional injected power via a USB hub, but this configuration should be a great start and has far-reaching implications.
TL;DR - Android phones are great, made even more so with the addition of an OTG cable, provided your phone supports OTG.
Leave us a comment if you've done anything particularly cool with this configuration!
- Josh "savant" Brashars, Trustwave SpiderLabs.