It is a USB programmer, but it enables a virtual COM port so most 3rd party software developed to read specific cards using a serial port, like Fedex Jungo, can be used with this programmer hardware. Smart Card Programmer. Useful Links for Smart Cards. Detail about Smart Cards and ISO 7816 (PDF) Using a PIC to read and write ISO 7816 smart. A Hack Turns the Square Card Reader Into a Skimmer. Jamie Condliffe. If the app looks like a piece of third-party software, you shouldn’t hand over your card.

Installation Steps

Step 1: Obtain a CAC Reader
Step 2:CAC Reader driver / Video
Step 3:DoD Certificates
Step 4:ActivClient
Step 4a:Update ActivClient
Step 5:IE adjustments/Video
Log into a CAC enabled website now
Page Quick Links:
Firmware Update for SCR-331
Verify SmartCard Service started
Start Smart Card Service PDFs
Updating a CAC Driver
Plug in your CAC reader NOW
NOTE: Please check and make sure your CAC reader installed BEFORE you attempt to follow the driver installation instructions below. Most of the time, the New hardware wizard will install the CAC reader automatically, negating the need for you to install the driver manually.

To Verify whether your driver did or did not install, follow these instructions:

Plug your CAC reader into your computer before proceeding

Windows 10: Right click the Windows logo (lower left corner of your screen). Click System, select Device Manager link (upper left corner of the screen), scroll down to Smart card readers, select the little triangle next to it to open it up. If your smart card reader is listed, go to the next step of installing the DoD certificates.

Windows 8.1: Right click Computer, select Properties, Device Manager link (upper left corner of the screen), scroll down to Smart card readers, select the little triangle next to it to open it up. If your smart card reader is listed, go to the next step of installing the DoD certificates. NOTE: If you don't see it, you can also click Start, In the Start Search line type in: devmgmt.msc. (For Windows 8.1 users, you'll right click Start).

If it did not install correctly... Try this first: Go to Device Manager (Instructions are above), scroll down to Smart Card readers, right click the CAC reader that shows up below Smart Card Readers. It can also show up under unknown devices. Select Uninstall. It will give you a message. Once it is uninstalled, unplug the reader from your computer. Wait a few moments, then plug it back in. It 'should' start to install itself. If that doesn't work, keep reading for other ideas below.

IF you do not see Smart card readers when checking, THEN follow along with the steps below.

To install a driver onto your computer for a CAC reader, you need to first download the correct driver for the hardware you purchased, I have drivers for the most common USB Readers, Keyboard, laptop, & desktop card readers

PROCEED TO STEP 3 ONCE YOU'VE COMPLETED YOUR VERIFICATION OR INSTALLATION

Unzipping - the driver

Windows 10 or 8.1 - Save the zip file to a location of your choosing. Once you have the zip file downloaded, open the zip file (Windows built in zipping program). Copy the folder inside to a new folder. It will unzip the contents, (this is the folder you will need when you are doing the steps below). You can also use the Extract All Files button (on the left under Folder Tasks, under File, Extract All). It will then ask where you want to save the file. I recommend placing a backslash ( ) at the end of the location on the screen.

WinZip- Use the Extract button. It will ask you where you want to save the extracted files to, I recommend your desktop. Click the desktop icon on the left. Push the little yellow folder in the upper right corner of this active window. It will prompt you for a name for the folder (type in CAC Driver). Hit OK, then select Extract (lower right corner of this window). You should now see your new folder on your desktop to open up. Keep this for a later step.

Updating the Driver - Example is for an SCR-331

Windows 10 & 8.1 - Right Click Computer, Select Properties

Click the Device Manager link (on the left side of your screen)

Select the triangle next to Smart Card Readers

Right click the SCRx31 USB Reader, select Update Driver software

Browse my computer... Select Browse, then desktop (or wherever you made the folder)

NOTE: One person had to select 'Search automatically for updated driver software' (This is very rare)

Select the folder (if using the firmware update driver below, stop at the driver folder, do not 'dig' down to AND or Intel folders) and then OK. Next

Your driver will be installed.

FIRMWARE UPDATE for SCR-331 Reader

(Requires a physical Windows computer, Mac using Bootcamp, or TENS / LPS (see next sentence below). It will NOT work in virtual Windows (examples: VMware, Parallels, or Virtual box)).

Verify your firmware version before going through this process...

1. Go to Device Manager, type: device manager in the search box

2. Select the arrow next to Smart card readers

3. Right click on SCR33x USB Smart Card reader

4. Select Properties

5. Select Details (tab)

6. Select Hardware Ids

7. The number after &REV_ is your current firmware, if it is0525there is no need to update the firmware.

Intel based Macs can update the firmware using TENS / LPS (instructions on top of PDF page 37 (document page 34)) Video instructions

The firmware update 'should' fix the following problems:

A. Card reader is not recognized

B. Shows up as 'STCII Smart Card Reader'

C. Shows up as 'USB Smart Card Reader' (not necessarily a problem)

D. Does not read your 'Gemalto TOP DL GX4 144', 'Oberthur ID One 128 v5.5 Dual' CAC.

E. Does not read your CAC when using your Mac

NOTE: We are hearing Mac users having problems with the SCR-331 reader. A recommendation is to get a Mac compatible reader.

Installation Instructions:

1. Download update file
2. Unzip the downloaded file (by Right-clicking and selecting Extract All)
3. Update the driver present in the 'driver' folder (by following guidance above)
4. Once the driver is updated, Run FWUPDATE.EXE (lightning bolt) in the 'app' folder to update the firmware. Select the default choices.
5. Close all programs, restart your computer

NOTE: If you computer fails to recognize the CAC reader driver, you may need to try a different computer to do the update.

Now your SCR-331 reader can be used with Windows 10 & 8.1, or Mac.

FIRMWARE UPDATE for SCR-3310 reader

(V1 ONLY (doesn't have V2 after SCR-3310 on the label))

(Requires a physical Windows computer, Mac using Bootcamp, or TENS / LPS (see next sentence below). It will NOT work in virtual Windows (examples: VMware, Parallels, or Virtual box)).

Intel based Macs can update the firmware using TENS / LPS (instructions on PDF page 37 (document page 34)) Video instructions

NOTE: DO NOT use this update on a V2 reader. There is no firmware update for a V2 reader because it is already updated.

Click on FWUpdate.exe, this will update your firmware to version 5.26

CHECK SERVICES to make sure Smart Card is running

(This Video shows a very basic version on how to start the service (start at 44 seconds))

If your CAC reader is still not seen by ActivClient, make sure that the Smart Card service is running.

Here's how: Go to: Start, Search programs and files (in Windows 10 & 8.1), type: Services.msc Scroll down to Smart card, double click it and set it to automatic and click Start

If you are unable to start the service; It doesn't show up; ActivClient still says no reader attached; or it acknowledges you have a CAC in the reader (but you can't access it) follow these registry edits below.

Windows 10 & 8.1

Automated method (double click the .reg file inside the .zip folder)

Manual method for Windows 10 & 8.1, (mirror your registry settings to the PDF links below).

Anytime you make changes to the Registry it is a recommended you back it up first

Smart Card Writer Software Hacks

If ActivClient still does not see the CAC reader, try these ideas (if they don't work, your only other option is reloading Windows onto your computer).

Radio-frequency identification (RFID) is a widely used technology for the tracking and identification of objects that have been 'tagged' with small RFID tags. These tags often come in the shape of little keychains, cards, and stickers. They can be seen in many different kind of systems and are often relied upon instead of keys or cash money.

I personally find wireless technologies very interesting and especially love RFID systems so during my research for the HID iClass system it became prudent to buy a Proxmark 3.

The Proxmark III is a device developed by Jonathan Westhues that enables sniffing, reading and cloning of RFID (Radio Frequency Identification) tags.

The Proxmark III (PM3) is the defacto RFID research tool. There are other alternative tools but none have the community and prevalence of the PM3. It's capable of reading, writing, and emulating many of the currently available RFID tags. In addition, there is a quiet community forum where some highly-technical volunteers share custom Proxmark firmwares and much needed information about RFID research.

If you are serious about researching RFID systems, you need a Proxmark 3. There's no question about it.

Getting a Proxmark

Smart

The Proxmark website lists a few retailers where you can purchase a PM3 but I'll discuss how I got mine and what I paid for it.

Coupon

Sam from Lab401 reached out and offered a coupon code for a Proxmark 3 from their store for my readers!

Use code CHUNG401 for a 50 euros/dollars discount on a cart with a Proxmark 3, MIFARE 4K tags, and Ultralight UID tags.

For one thing, I purchased the RDV2 version of the Proxmark which isn't the open source version but makes some improvements over the initial release. Notably it's smaller, has support for a battery, and uses MMCX cables instead of USB cables.

You can purchase a PM3 from a couple of different sites and I think Rysc Corp is the most reputable in the US but I actually purchased my PM3 from Elechouse in Hong Kong for a total of $248 after shipping. At Rysc Corp a Proxmark (RDV2 or not) costs at least $299 before shipping.

It cost $212.00 for the actual PM3 RDV2 and $36.30 for shipping to the US for a total of $248.30.

Looking back, it's actually possible to save a couple more bucks by going to AliExpress and buying the RDV2 there for about $190 with free shipping or the even cheaper 'Proxmark 3 Easy'.

The PM3 Easy is a pretty cheap version of the Proxmark that costs about $100 but sacrifices some features:

This is a version intended for the chinese domestic market only, so has a few features removed:

  1. AT91SAM7S256 (smaller memory 256kb)
  2. Removed lithium battery management and socket.
  3. Removed some components such as Relay and the Amplifier
  4. Use different antenna connection.
    ~ Proxmark Forums Post by kwx

Overall, the original Proxmark 3 design is obsolete and you should go with one of the newer designs from Elechouse.

There's a number of resources for setting up a PM3 and in terms of hardware it will differ slightly depending on your model.

The original PM3 has USB antennaes that you can detach and reattach at will. You should not do this on the RDV2. With the RDV2 after you connect the MMCX cables, you should leave them attached and screw in the antenna modules into the main body.

I did not do this and one antenna is now hot-glued to the MMCX cable.

Once everything is attached you should follow the PM3 wiki for setting up the PM3 firmware. To the best of my knowledge all released Proxmarks use the same firmware so there shouldn't be much model based difference in terms of software.

I won't get into the software setup too much because it's very involved and I won't be able to do a better job than the wiki. However, I will say that at some point the PM3 changed from a USB interface to a serial interface for performance reasons. The serial interface is finicky and can have problems running in a virtual machine.

If you do decide to use a VM, I've had more success with Linux than Windows and in Windows, for some reason I can't explain, the PM3 client only works when I use the GUI. But at the moment, I use a Windows 7 VM and the GUI as my PM3 interface.

Overall, flashing the PM3 can be an annoying process that you really only want to have to do once or twice.

There are a number of RFID authentication technologies common in the US and I've encountered four in my day to day life:

  • HID iClass (13.56 MHz)
  • HID ProxCard (125 kHz)
  • EM4100x (125 kHz)
  • MIFARE Classic (13.56 MHz)

We're going to break down the last three because I already covered how to read/write iClass cards.

With some assorted unknown RFID tags and cards we'll try to clone/modify the contents of each. First we need to figure out what technology is behind each card. Generally you can research this information online through serial numbers, manufacturer information, and datasheets.

But with the PM3 you can take a shortcut and run lf search or hf search. These two commands will search for supported RFID tags in the low frequency (125 kHz) and the high frequency (13.56 MHz) range respectively.

HID ProxCard

Let's take a look at the more popular HID ProxCard.

On the front of the card it has some numbers and the words 'HID Proximity'. With some Googling we can ascertain that this is an HID ProxCard which we can clone with some Proxmark commands.

To start off we can search for a supported tag with lf search:

Knowing that it's definitely a ProxCard we can upgrade to the HID specific commands. We already know the Tag ID (2004263f88) but we can run lf hid fskdemod to read Proxcards continuously (Push the button on the PM3 to stop scanning):

This Tag ID is directly encoded from the Facility Code (19) and Card ID (8132). You can use some of the online 26 bit Wiegand calculators online to double check this for yourself.

This effectively means that you only need to know those numbers (which are printed on the card itself) to clone the card.

Most low frequency tags don't have any kind of complex authentication scheme or any protection against replay attacks. It's a simple matter to scan an existing working card and create a clone. With a high powered reader, one can steal RFID tags from multiple feet away.

With the Tag ID in hand, we now need a blank RFID card that we can clone the Tag ID onto. The best card for this is the T5577 which can emulate a variety of low frequency cards including the two being discussed here (HID ProxCard, EM41000).

With the Tag ID in hand and T5577 ready we can clone simply with:

Now the T5577 tag should function as an identical clone to the original ProxCard!

In addition to reading and writing, the PM3 is also capable of simulating an RFID tag but it really isn't as intuitive as one would like. You generally need to have a computer of some sort connected to the PM3 and have the ability to run commands. The simulation could be useful to a pentester, but reading and writing is all most people need.

The EM4100 cards are not as common as the HID ProxCard but it shows up sometimes and nonetheless the PM3 supports it.

We continue once again with the lf search command:

Knowing that it's a EM4100 we can proceed to the more specific EM4100 RFID commands and read the Tag ID:

And once again with the Tag ID in hand we can write it to a T5577.

Most low frequency RFID tags are child's play to read/write/clone/emulate with the Proxmark 3.

Next we'll take a look at a card that is a little more complicated but ultimately broken, the MIFARE Classic.

The MIFARE Classic is a very popular RFID card that's in many different operations like bus fare cards, laundry cards, or ID cards. They're very widespread and unfortunately, very broken.

We're going to use the high frequency antenna to read our high frequency MIFARE card.

Let's start off with hf search to try and identify our card:

Unfortunately the MIFARE Card is not quite as easy to clone as a low frequency card. It leverages a simple authentication scheme which prevents us from just cloning the UID.

While we can read certain blocks from the card others are unavailable because of an 'Authentication Error':

Successful Block Read:
Failed Block Read:

At first it may seem odd that we can't read all blocks because we have a key but reading the Wikipedia article clarifies everything for us:

The MIFARE Classic 1K offers 1024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. Each key can be programmed to allow operations such as reading, writing, increasing value blocks, etc.

For some reason many MIFARE classic implementations use the default keys so there are a number of applications that test the default keys against a card.

The PM3 features the 'Test Block Keys' command which will test the default keys for us:

Long story short it looks like we can use the default key of ffffffffffff to read most blocks but not some blocks.

Using the 'Nested Attack' we can use our one useable key to identify keys for the other blocks.

I really have no idea how the Nested Attack works and there's not a bunch of information available online about it... but it works. If you want to learn more about the Nested Attack I would probably recommend reading the PM3 source code or some of the original papers detailing the attacks.

Note

In the earlier Nested Attack command it is important to dump the keys to the dumpkeys.bin file with the d parameter to enable the use of other MIFARE Classic commands.

All of a sudden we have a new key: 080808080808. This key allows us to read our secret blocks:

In addition with the dumpkeys.bin file ready we can dump the entire card and load it onto a blank MIFARE card.

With the dumpdata.bin file we can restore this card's contents onto another card with: hf mf restore 1.

However, cloning a MIFARE card is low on the totem pole. With the new keys we have the ability to read and write to the card. Considering it's commonly used as a fare card, it's reasonable to question whether or not the value of the card can be modified.

To start let's look at a partial dump of the card:

Completely unintelligible until we use the card once and then dump the cards contents again:

A single row in the dump has changed from:

4b07 0000 b4f8 ffff 4b07 0000 05fa 05fa

to

Smart Card Read Write Software

3205 0000 cdfa ffff 3205 0000 05fa 05fa

It's not immediately clear but there is definitely a changing value on the card. The simplest assumption to make is that the card is storing its own value and then decrementing the cost of a given transaction.

Knowing our starting value (7.75), the cost of an item (2.25) and the resulting value (5.50) we can grep for these values in hex. To simplify our search we'll just take 75, convert it to hex (0x4b) and then search for the value in the first dump:

4b07 0000 b4f8 ffff 4b07 0000 05fa 05fa

This is a dead giveaway that the card is storing its own value. Especially considering that the following byte is 0x07. Therefore we should be able to increase the value of our card on our own by modifying these bytes.

What's unclear is the meaning of the bytes after our stored value. They don't seem to repeat and they don't seem to be predictable given our two dumps. Being cautious, instead of just replacing our value with ffff it's simpler to fill up our card normally and then reuse that stored value.

Note

A friend pointed out that the b4f8 value and the 4b07 value add up to ffff which pretty confidently say that it is a checksum value that the reader can use to verify that the card's value was successfully updated after a transaction. Thanks Soly!

With our card filled up to 17.50 we can take a new dump and save the results of Block 5 (where the value is stored).

Now we can endlessly refill our card to 17.50 as follows:

Free Smart Card Writer Software

Write Block
Read Block

Smart Card Reader Writer Software

Even if the default keys weren't used, we could sniff the communication between the real reader and the card to ascertain a valid key.

Smart Card Writer Software

Ultimately as long as we know an existing key, we should be able to use the nested attack to identify other keys to gain read/write access to the card.

Smart Card Writer Software Hacks List

Many years of research have gone into the security of RFID card systems and the Proxmark 3 is the best tool for tapping into that wealth of knowledge and learning more about RFID card systems.

Smart Card Writer Software Hacks Online

I greatly recommend picking up a ProxMark 3 and some T5577 tags if you're interested in cloning your RFID cards and learning more about how these systems work.

It's also useful for converting your company's access control cards into little key fobs đź’©