├── .vscode ├── settings.json └── launch.json ├── LICENSE ├── README.md ├── iso15693.ksy └── index.html /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "html.format.unformattedContentDelimiter": "" 3 | } -------------------------------------------------------------------------------- /.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // Use IntelliSense to learn about possible attributes. 3 | // Hover to view descriptions of existing attributes. 4 | // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "type": "msedge", 9 | "request": "launch", 10 | "name": "Open index.html", 11 | "file": "index.html" 12 | } 13 | ] 14 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 g3gg0.de 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Proxmark WebSerial Interface 2 | 3 | ## Overview 4 | This repository provides a web-based interface for interacting with Proxmark3 devices using the latest Iceman firmware, leveraging the Web Serial API available in Chrome-based browsers. 5 | It enables users to connect to their Proxmark3, execute commands such as reading ISO15693 tags, sniffing that traffic, and flashing firmware directly from the browser without the need for additional software. 6 | 7 | ## Features 8 | - **Device Connection**: Connect to Proxmark3 via the Web Serial API. 9 | - **Read ISO15693 Tags**: Quickly read UID of ISO15693 NFC tags. 10 | - **Sniff ISO15693 Traffic**: Capture NFC traffic for analysis. 11 | - **Flash Firmware**: Update your Proxmark3 with new firmware from a .bin file or directly from a provided URL. 12 | 13 | ## Prerequisites 14 | - Proxmark3 with Iceman firmware. 15 | - Chrome-based browser with Web Serial API support. 16 | 17 | ## Usage 18 | 19 | ### Connecting to Proxmark3 20 | 1. Open the Proxmark WebSerial page in a compatible browser. 21 | 2. Click on the `Connect` button and select your Proxmark3 device. 22 | 3. Do things. 23 | 24 | ### Reading ISO15693 Tags 25 | - After connecting, use the `ISO15693 Read UID` button to read the UID of nearby tags. 26 | 27 | ### Sniffing NFC Traffic 28 | - Click on the `ISO15693 Sniff Traffic` button to start capturing NFC traffic. 29 | 30 | ### Flashing Firmware 31 | To flash the firmware, plug the Proxmark3 with the button pressed. Then two LEDs should be lit and you can connect to it for flashing new firmware. 32 | - To flash firmware from a file: choose a `.bin` file using the file input under `From File`. 33 | - To flash firmware from a URL: click the `Download` button under `From g3gg0.de`. 34 | The firmware must be in .bin format - run arm-elf-objcopy -O fullflash.bin fullflash.elf before. 35 | 36 | ## Installation 37 | Simply host the provided HTML file on any web server, or open it directly in a browser from your local filesystem. 38 | 39 | ## Development 40 | - **Kaitai Struct**: For parsing binary data formats. 41 | - **JavaScript**: Primary programming language. 42 | 43 | ## Contributing 44 | Contributions are welcome! Please submit pull requests or create issues for bugs and feature requests. 45 | 46 | ## License 47 | MIT 48 | 49 | ## Acknowledgements 50 | - Thanks to the Proxmark3 community and the developers of the Iceman firmware. 51 | - Utilizes Kaitai Struct and other open-source libraries for various functionalities. 52 | 53 | -------------------------------------------------------------------------------- /iso15693.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: iso15693 3 | title: ISO15693 NFC protocol 4 | endian: le 5 | 6 | seq: 7 | - id: request_response 8 | type: request_response 9 | repeat: expr 10 | repeat-expr: 3 11 | 12 | types: 13 | request_response: 14 | seq: 15 | - id: req_len 16 | type: u1 17 | - id: req 18 | type: request 19 | - id: res_len 20 | type: u1 21 | - id: res 22 | type: 23 | switch-on: req.command 24 | cases: 25 | 'command_type::inventory': res_inventory 26 | 'command_type::get_system_information': res_get_system_information 27 | 'command_type::read_single_block': res_read_single_block 28 | _: res_empty 29 | 30 | request: 31 | seq: 32 | - id: flags 33 | type: req_flags 34 | - id: command 35 | type: u1 36 | enum: command_type 37 | - id: manufacturer_code 38 | type: u1 39 | enum: manufacturer_code_type 40 | if: command.to_i >= 0xA0 41 | - id: uid 42 | type: u8 43 | if: flags.address_slots == true and flags.inventory == false 44 | - id: payload 45 | type: 46 | switch-on: command 47 | cases: 48 | 'command_type::inventory': req_inventory 49 | 'command_type::read_single_block': req_read_single_block 50 | 'command_type::write_single_block': req_write_single_block 51 | 'command_type::lock_block': req_lock_block 52 | 'command_type::write_dsfid': req_write_dsfid 53 | 'command_type::read_multi_block': req_read_multi_block 54 | 'command_type::write_multi_block': req_write_multi_block 55 | 'command_type::nxp_set_password': req_nxp_set_password 56 | 'command_type::nxp_write_password': req_nxp_write_password 57 | 'command_type::nxp_lock_password': req_nxp_lock_password 58 | 'command_type::nxp_destroy': req_nxp_destroy 59 | 'command_type::nxp_enable_privacy': req_nxp_enable_privacy 60 | 'command_type::nxp_write_eas_id': req_nxp_write_eas_id 61 | _: no_payload 62 | - id: crc 63 | type: u2 64 | 65 | no_payload: 66 | seq: 67 | - id: dummy 68 | size: 0 69 | 70 | res_empty: 71 | seq: 72 | - id: flags 73 | type: res_flags 74 | - id: error_code 75 | type: u8 76 | if: flags.error 77 | - id: crc 78 | type: u2 79 | 80 | ################ Flags ################ 81 | req_flags: 82 | doc: general request flags, defined in ISO15693-3 7.3.2 83 | seq: 84 | - id: rfu 85 | type: b1 86 | - id: option 87 | type: b1 88 | - id: address_slots 89 | type: b1 90 | doc: dual-use, depending on inventory flag, which comes after 91 | - id: select_afi 92 | type: b1 93 | doc: dual-use, depending on inventory flag, which comes after 94 | - id: protocol_extension 95 | type: b1 96 | - id: inventory 97 | type: b1 98 | - id: data_rate 99 | type: b1 100 | - id: sub_carrier 101 | type: b1 102 | 103 | res_flags: 104 | doc: general response flags, defined in ISO15693-3 7.4.2 105 | seq: 106 | - id: rfu 107 | type: b1 108 | - id: waiting_time_extension 109 | type: b1 110 | - id: block_security_status 111 | type: b2 112 | - id: extension 113 | type: b1 114 | - id: final_response 115 | type: b1 116 | - id: responsebuffer_validity 117 | type: b1 118 | - id: error 119 | type: b1 120 | 121 | ################ Inventory ################ 122 | req_inventory: 123 | seq: 124 | - id: afi 125 | type: u1 126 | if: _parent.flags.select_afi == true 127 | - id: mask_length 128 | type: u1 129 | - id: mask 130 | size: mask_length/8 131 | 132 | res_inventory: 133 | seq: 134 | - id: flags 135 | type: res_info_flags 136 | - id: dsfid 137 | type: u1 138 | - id: uid 139 | type: u8 140 | - id: crc 141 | type: u2 142 | 143 | ################ Get System Information ################ 144 | res_get_system_information: 145 | seq: 146 | - id: flags 147 | type: res_flags 148 | - id: info_flags 149 | type: res_info_flags 150 | - id: uid 151 | type: u8 152 | - id: dsfid 153 | type: u1 154 | if: info_flags.dsfid 155 | - id: afi 156 | type: u1 157 | if: info_flags.afi 158 | - id: vicc_memory_size 159 | type: res_vicc_memory_size 160 | if: info_flags.vicc_memory_size 161 | - id: ic_reference 162 | type: u1 163 | if: info_flags.ic_reference 164 | - id: crc 165 | type: u2 166 | 167 | res_info_flags: 168 | seq: 169 | - id: prop1 170 | type: b1 171 | - id: prop2 172 | type: b1 173 | - id: prop3 174 | type: b1 175 | - id: prop4 176 | type: b1 177 | - id: ic_reference 178 | type: b1 179 | - id: vicc_memory_size 180 | type: b1 181 | - id: afi 182 | type: b1 183 | - id: dsfid 184 | type: b1 185 | 186 | 187 | res_vicc_memory_size: 188 | seq: 189 | - id: proprietary 190 | type: b3 191 | - id: block_size 192 | type: b5 193 | - id: block_count 194 | type: b8 195 | 196 | 197 | ################ Lock Block ################ 198 | req_lock_block: 199 | seq: 200 | - id: block 201 | type: u1 202 | 203 | ################ Read Block ################ 204 | req_read_single_block: 205 | seq: 206 | - id: block 207 | type: u1 208 | 209 | res_read_single_block: 210 | seq: 211 | - id: flags 212 | type: res_info_flags 213 | - id: data 214 | size: _parent.res_len - 3 215 | - id: crc 216 | type: u2 217 | 218 | ################ Write Block ################ 219 | req_write_single_block: 220 | seq: 221 | - id: block 222 | type: u1 223 | 224 | ################ Write DSFID ################ 225 | req_write_dsfid: 226 | seq: 227 | - id: dsfid 228 | type: u1 229 | 230 | ################ Read Multiple Blocks ################ 231 | req_read_multi_block: 232 | seq: 233 | - id: block 234 | type: u1 235 | 236 | ################ Write Multiple Blocks ################ 237 | req_write_multi_block: 238 | seq: 239 | - id: block 240 | type: u1 241 | 242 | 243 | ################ NXP SLIX: Set Password ################ 244 | req_nxp_set_password: 245 | seq: 246 | - id: password_id 247 | type: u1 248 | enum: nxp_password_type 249 | - id: password_xor 250 | type: u4 251 | 252 | ################ NXP SLIX: Write Password ################ 253 | req_nxp_write_password: 254 | seq: 255 | - id: password_id 256 | type: u1 257 | enum: nxp_password_type 258 | - id: password 259 | type: u4 260 | 261 | ################ NXP SLIX: Lock Password ################ 262 | req_nxp_lock_password: 263 | seq: 264 | - id: password_id 265 | type: u1 266 | enum: nxp_password_type 267 | 268 | ################ NXP SLIX: Destroy ################ 269 | req_nxp_destroy: 270 | seq: 271 | - id: password_xor 272 | type: u4 273 | 274 | ################ NXP SLIX: Enable Privacy ################ 275 | req_nxp_enable_privacy: 276 | seq: 277 | - id: password_xor 278 | type: u4 279 | 280 | ################ NXP SLIX: Write EAS ID ################ 281 | req_nxp_write_eas_id: 282 | seq: 283 | - id: eas_id 284 | type: u2 285 | 286 | 287 | 288 | enums: 289 | # https://en.wikipedia.org/wiki/ISO/IEC_15693 290 | manufacturer_code_type: 291 | 0x01: motorola 292 | 0x02: stmicroelectronics 293 | 0x03: hitachi 294 | 0x04: nxp_semiconductors 295 | 0x05: infineon_technologies 296 | 0x06: cylink 297 | 0x07: texas_instruments 298 | 0x08: fujitsu 299 | 0x09: matsushita_electronics_corporation_semiconductor 300 | 0x0a: nec 301 | 0x0b: oki_electric_industry 302 | 0x0c: toshiba 303 | 0x0d: mitsubishi_electric 304 | 0x0e: samsung_electronics 305 | 0x0f: hynix 306 | 0x10: lg_semiconductors 307 | 0x11: emosyn_em_microelectronics 308 | 0x12: inside_technology 309 | 0x13: orga_kartensysteme 310 | 0x14: sharp 311 | 0x15: atmel 312 | 0x16: em_microelectronic_marin 313 | 0x17: smartrac_technology 314 | 0x18: zmd 315 | 0x19: xicor 316 | 0x1a: sony 317 | 0x1b: malaysia_microelectronic_solutions 318 | 0x1c: emosyn 319 | 0x1d: shanghai_fudan_microelectronics 320 | 0x1e: magellan_technology 321 | 0x1f: melexis 322 | 0x20: renesas_technology 323 | 0x21: tagsys 324 | 0x22: transcore 325 | 0x23: shanghai_belling 326 | 0x24: masktech_germany 327 | 0x25: innovision_research_and_technology 328 | 0x26: hitachi_ulsi_systems 329 | 0x27: yubico 330 | 0x28: ricoh 331 | 0x29: ask 332 | 0x2a: unicore_microsystems 333 | 0x2b: dallas_semiconductor_maxim 334 | 0x2c: impinj 335 | 0x2d: rightplug_alliance 336 | 0x2e: broadcom 337 | 0x2f: mstar_semiconductor 338 | 0x30: beedar_technology 339 | 0x31: rfidsec 340 | 0x32: schweizer_electronic 341 | 0x33: amic_technology 342 | 0x34: mikron 343 | 0x35: fraunhofer_institute_for_photonic_microsystems 344 | 0x36: ids_microship 345 | 0x37: kovio 346 | 0x38: hmt_microelectronic 347 | 0x39: silicon_craft_technology 348 | 0x3a: advanced_film_device 349 | 0x3b: nitecrest 350 | 0x3c: verayo 351 | 0x3d: hid_global 352 | 0x3e: productivity_engineering 353 | 0x3f: austriamicrosystems 354 | 0x40: gemalto 355 | 0x41: renesas_electronics 356 | 0x42: threealogics 357 | 0x43: top_troniq_asia 358 | 0x44: gentag 359 | 0x45: invengo_information_technology 360 | 0x46: guangzhou_sysur_microelectronics 361 | 0x47: ceitec 362 | 0x48: shanghai_quanray_electronics 363 | 0x49: mediatek 364 | 0x4a: angstrem 365 | 0x4b: celisic_semiconductor 366 | 0x4c: legic_identsystems 367 | 0x4d: balluff 368 | 0x4e: oberthur_technologies 369 | 0x4f: silterra_malaysia 370 | 0x50: delta 371 | 0x51: giesecke_devrient 372 | 0x52: shenzhen_china_vision_microelectronics 373 | 0x53: shanghai_feiju_microelectronics 374 | 0x54: intel 375 | 0x55: microsensys 376 | 0x56: sonix_technology 377 | 0x57: qualcomm_technologies 378 | 0x58: realtek_semiconductor 379 | 0x59: freevision_technologies 380 | 0x5a: giantec_semiconductor 381 | 0x5b: jsc_angstrem_t 382 | 0x5c: starchip 383 | 0x5d: spirtech 384 | 0x5e: gantner_electronic 385 | 0x5f: nordic_semiconductor 386 | 0x60: verisiti 387 | 0x61: wearlinks_technology 388 | 0x62: userstar_information_systems 389 | 0x63: pragmatic_printing 390 | 0x64: associacao_do_laboratorio_de_sistemas_integraveis_tecnologico 391 | 0x65: tendyron 392 | 0x66: muto_smart 393 | 0x67: on_semiconductor 394 | 0x68: tubitak_bilgem 395 | 0x69: huada_semiconductor 396 | 0x6a: seveney 397 | 0x6b: issm 398 | 0x6c: wisesec 399 | 0x7e: holtek 400 | 401 | 402 | command_type: 403 | 0x01: inventory 404 | 0x02: stay_quiet 405 | 0x20: read_single_block 406 | 0x21: write_single_block 407 | 0x22: lock_block 408 | 0x23: read_multi_block 409 | 0x24: write_multi_block 410 | 0x25: select 411 | 0x26: reset_to_ready 412 | 0x27: write_afi 413 | 0x28: lock_afi 414 | 0x29: write_dsfid 415 | 0x2A: lock_dsfid 416 | 0x2B: get_system_information 417 | 0x2C: read_multi_secstatus 418 | 0xA2: nxp_set_eas 419 | 0xA3: nxp_reset_eas 420 | 0xA4: nxp_lock_eas 421 | 0xA5: nxp_eas_alarm 422 | 0xA6: nxp_password_protect_eas_afi 423 | 0xA7: nxp_write_eas_id 424 | 0xB0: nxp_inventory_page_read 425 | 0xB1: nxp_inventory_page_read_fast 426 | 0xB2: nxp_get_random_number 427 | 0xB3: nxp_set_password 428 | 0xB4: nxp_write_password 429 | 0xB5: nxp_lock_password 430 | 0xB9: nxp_destroy 431 | 0xBA: nxp_enable_privacy 432 | 433 | nxp_password_type: 434 | 0x01: read 435 | 0x02: write 436 | 0x04: privacy 437 | 0x08: destroy 438 | 0x10: eas_afi 439 | 440 | -------------------------------------------------------------------------------- /index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | Proxmark WebSerial 8 | 9 | 10 | 11 | 12 | 15 | 16 | 146 | 147 | 148 | 149 | 150 | 151 | 589 | 590 | 591 |
592 |

Proxmark WebSerial

593 |
594 | 595 |
596 |
597 |
Not Connected
598 | 599 |
600 |
601 |
602 |
603 |
604 |
605 |
606 |
607 | 608 | 609 |
610 |
611 |

Flash Firmware

612 |
From File:
613 |
From g3gg0.de:
614 |
615 | 616 |
617 | 618 | 1713 | 1714 | 1715 | --------------------------------------------------------------------------------